Mostly Economics

RBI issued a press release encouraging cardholders (both debit & credit) to tokenise their card information. Merchants store a lot of information about our cards on their network. This could lead to problems:

Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc. [Card-on-File (CoF)] citing cardholder convenience and comfort for undertaking transactions in future. While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen/misused. There have been instances where such data stored by merchants, etc., have been compromised.

Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data.

Tokenisation helps prevent these frauds:

Given the foregoing, the Reserve Bank mandated that after December 31, 2021, entities other than card networks and card issuers cannot store card data. This timeline was subsequently extended to June 30, 2022. A framework for CoF Tokenisation (CoFT) services was also issued. Under this framework, cardholders can create “tokens” (a unique alternate code) in lieu of card details; these tokens can then be stored by the merchants for processing transactions in future. Thus, CoFT obviates the need to store card details with merchants and provides the same level of convenience to cardholders.

To create a token under the CoFT framework, the cardholder has to undergo a one-time registration process for each card at every online / e-commerce merchant’s website / mobile application, by entering the card details and giving consent for creating a token. This consent is validated by way of authentication through an AFA. Thereafter, a token is created which is specific to the card and online / e-commerce merchant, i.e., the token cannot be used for payment at any other merchant. For future transactions performed at the same merchant website / mobile application, the cardholder can identify the card with the last four digits during the checkout process. Thus, the cardholder is not required to remember or enter the token for future transactions. A card can be tokenised at any number of online / e-commerce merchants. For every online / e-commerce merchant where the card is tokenised, a specific token will be created.

Till date, about 19.5 crore tokens have been created.

To sign for CoFT:

Opting for CoFT (i.e., creating tokens) is voluntary for the cardholders. Those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transaction”).

This is where nudging can come. Instead of keeping it voluntary, one could enroll citizens automatically into the program. They can opt out of tokenisation if they wish to. An experiment worth doing?