Skip to content
Come October 1, online shopping using your credit and debit cards will become safer.
The Reserve Bank of India (RBI) has directed payment aggregators, wallets, and online merchants not to store sensitive card-related customer information, including full card details. The 16-digit card numbers will get replaced with a ‘token.’ The only way to conveniently make a card payment repeatedly is through a new process called ‘tokenization.’
“Transactions using cards will remain unaffected by the card tokenization process,” says Reeju Datta, Co-founder at Cashfree Payments. It will make transactions more secure, he adds.
“As a customer, you don’t need to remember the details of a token. The end-customer experience is not changing while making payments,” says Jagdish Kumar, VP of Products and Solutions, Digital Commerce, at Worldline India.
Here is a primer:
What is the tokenization of cards?
Until now, whenever you bought things from e-commerce websites or booked train or flight tickets through a travel website, you had to save your debit or credit card details for ease in future transactions. You would only enter the three-digit CVV number and check the payment transaction within seconds. But saving card details in the current form is risky. There are instances of popular websites getting hacked by fraudsters and harvesting the saved card data.
Tokenization will replace a debit or credit card’s 16-digit number with a unique token specific to your card and clear for one merchant at a time. The token masks the exact details of your card, so the fraudster cannot misuse the card if there is a data leak from the merchant’s website.
Tokens can be used for online, mobile point-of-sale, or in-app transactions. A token contains no personal information that can be accessed and keeps changing, making it the most secure method to complete payments. You do not need your card’s token when you present your card at a physical shop at the checkout counter.
“Digital transactions are growing significantly and require safety. There have been data leaks from merchant websites in the past. So, this is a prudent step by the regulator to enhance card data security,” says Datta.
Is tokenization mandatory?
The tokenization rule that comes into effect July 1 prohibits all merchant websites from saving your card numbers, CVV, or expiry date on their server for processing online transactions. Card users should either make a token before buying an item on the shopping website and save that token on the particular website (for future use) or create a token and hold it (for future use) at the time of payment after shopping.
However, the debit and credit card tokenization process is not mandatory, and customers can choose whether to let their cards get tokenized on a merchant’s website. In that case, a customer will have to re-enter the card details for each transaction, including the 16-digit card number, expiry date, and card verification value (CVV), while purchasing anything online.
Either way, your card details will not be stored on websites such as Flipkart, Amazon, Myntra, etc. You can either choose to get your card tokenized and store the token or enter your card details every time you buy something online.
The countrywide adoption of card tokenization was extended by six months, from January 1 to July 1, 2022, by the RBI to ensure a smooth transition from the current process. On June 8, following the monetary policy committee meeting, RBI Deputy Governor T Rabi Sankar said in a press conference that the payments ecosystem is “by and large prepared” to implement tokenization for card-based transactions ahead of June 30 deadline for new norms.
How can I tokenize my card with an online Merchant?
While making a payment on an online merchant website or mobile app, enter your card details and opt for tokenization. Your merchant forwards it to the respective bank or card network (VISA, Rupay, Mastercard, etc.). You should opt for tokenization of cards only if that website is used regularly and you want to avoid the hassle of entering the card details each time.
A token will then get generated and sent back to your merchant, who saves it. The next time you return to the shop, select this saved token at checkout time. You will see the exact masked card details and the last four digits of your card number. You will need to enter your CVV and complete the transaction.
Tokenisation is not mandatory, but it makes it easier to shop repeatedly.
Implementation and key challenges
RBI Deputy Governor Sankar said all card networks, including Visa, RuPay, and Mastercard, are offering tokenization and have created 16 crore tokens until now. Some merchants, including Swiggy, Cred, Uber, MakeMyTrip, etc., have gone live and are allowing customers to tokenize their cards. Several leading e-commerce websites are in the final stages of integrating the tokenization process and are expected to start tokenizing cards soon.
“With the implementation of tokenization, we expect challenges in the processing of purchases made through equated monthly installments (EMIs), processing cashback and rewards to customers in the absence of card data,” says a spokesperson from an e-commerce website requesting anonymity.
RBI Deputy Governor Sankar said about these new challenges: “The ecosystem is working on a few collateral issues that have come to the RBI’s notice, which we will adjust as we go. New issues crop up every time you shift a regime.”
Can a token on one merchant be used for another?
No, a token registered on one merchant cannot be used on another. Each merchant will have a unique token associated with every card saved. For instance, if you have an HDFC Bank credit card tokenized on Flipkart, the same card will have a different token on Amazon.
Essentially, your card will have multiple tokens based on the number of merchants you tokenize your card with.
How can I delete or manage the tokens generated?
If you want to remove a token you save on a merchant’s website, you can delete that token on the merchant’s website or app and delete the card associated with the token from your payment preferences.
Alternatively, banks also provide help in deleting tokens. For instance, SBI card customers can call on a helpline to request deletion.
Harshil Mathur, CEO and Co-Founder of Razor pay says that a card issuing bank will now provide a dedicated portal (on its website) to manage tokenized cards. Your dashboard will now show you a list of your cards and where (merchants) you have tokenized them.
From this dashboard, you can delete the tokenized cards from websites you do not use frequently.
Is the tokenization service free?
Yes, the tokenization of cards is free and can be availed by anyone. Currently, tokenization applies only to domestic cards. This guideline does not cover international cards. You can request tokenization on any number of cards to perform a transaction.
What will happen to a token once a card is replaced, renewed, reissued, or upgraded?
You need to revisit the merchant page and create a fresh token. That is because your new card (credit or debit) will come with a unique number and CVV.
