As per Reserve Bank of India Mandate effective October 1, 2022, current Map Number, CVV and expiry date and any other sensitive information related to cards cannot be stored by merchants or payment aggregators/gateways to process online transactions. Users must have their credit/debit cards tokenized.
signisation refers to replacing an actual or credit/debit card number with an alternative code called a “token”. Once created, these tokenized card details are used in place of an actual card number for future online purchases initiated or directed by the cardholder. A tokenized card transaction is considered more secure as the actual card details are not shared/stored with the merchants to complete the transaction.
Does the tokenization policy apply to both credit and debit cards?
Yes. From October 1, 2022, both debit and credit cards will need to be tokenized. The customer does not have to pay any fees to use the card tokenization service, it is absolutely free.
What are the benefits of tokenization
Actual card data, tokens and other relevant details are stored in a secure encrypted mode by the card-issuing bank and/or authorized card networks. Token requesters/merchants cannot store a full card number or other card details.
How can the tokenization be carried out
Step 1: The cardholder can have the card tokenized by initiating a request on any e-commerce site/app where they wish to complete the transaction.
Step 2: The token website/app forwards the request directly to the bank that issued the credit card in question or to Visa/Mastercard/American Expresswith the consent of the card-issuing bank.
Step 3: The party receiving the request from the token requester will issue a token that matches the combination of the card, the token requester, and the merchant. This means that after tokenization, the customer sees the last 4 digits of the card on the merchant side.
Does card tokenization have to be carried out at every merchant?
Yes. A token must be unique to the card at a given merchant. If the customer intends to escrow a card at different merchants (e-commerce site/apps), tokens must be created at all merchants. In addition, the customer must carry out this process for all cards that he owns. As mentioned earlier, token is unique to a card and dealer combination. A customer can request the tokenization of any number of cards when conducting a transaction.
How can users manage their tokenized cards?
The bank provides cardholders with a portal to view and manage the tokenized cards. Cardholders can view/delete tokens for the respective cards via this portal. Customers can also call the Phone Banking service to make a tokenized card management request
Will tokenization have an impact on the POS transactions performed by the cardholder at merchant points of sale?
no Tokenization is only required for conducting online transactions.
Who can perform tokenization and de-tokenization?
Tokenization and de-tokenization can only be performed by the card issuer Bank or Visa/Mastercard/American Express known as Authorized Card Networks.
How the registration process for a tokenization request works
Registration for a tokenization request is only carried out with the express consent of the customer Additional authentication factor (AFA) and not through forced/default/automatic selection of checkboxes, radio buttons, etc. Customers also have the option to select the use case and set limits.