This article is written by Vishakha Bhandakkar, pursuing Diploma in Law Firm Practice: Research, Drafting, Briefing and Client Management from LawSikho. The article has been edited by Tanmaya Sharma (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
In September 2021, the Reserve Bank of India (RBI) in a press release said that it has enhanced the guidelines and extended the scope of permitted devices through tokenization for card payment transactions to improve the overall safety and security of the payment transaction system. The device-based tokenization framework and system that was advised through the circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenization (CoFT) services as well. This means that card issuers, aggregators and networks have been permitted to offer card tokenization services as Token Service Providers (TSPs). The RBI further stated that such tokenization of card data will be done with the explicit consent of customers which will require Additional Factor of Authentication (AFA). This article attempts to explain the tokenization process, the RBI’s modified guidelines and how they will impact users, aggregators, networks and consumers.
What is tokenization?
Tokenization is a process in which ‘sensitive data’ such as credit and debit card details, bank account number, Permanent Account Number (PAN), etc. is replaced with ‘non-sensitive’ data for the primary reason of prevention of potential security and privacy breach. The non-sensitive data in this context is usually a unique string or random set of characters having no meaning or value called ‘token’. This token enables users and consumers to process payments while providing high security and safety to their sensitive data.
Through the process of tokenization, the card details will be replaced by the alternative code called a token. As mentioned earlier, the token, having no meaning or value, will be unique for a combination of card, token requestor (the entity responsible for accepting the request for tokenization and transferring that request to the card network) and the device. The token is used to perform contactless card transactions at Point of Sale (PoS) terminals and QR code payments.
What is a token?
Although tokens have no meaning or value and have values unrelated to the original data, they do preserve certain components and constituents of the original data. They serve as a reference to the original data, but cannot be employed to infer the values of the original data. This is because the tokenized data is unreadable and unalterable. As opposed to encryption, tokenization does not use a key, algorithm or a mathematical process to convert the original data into a token or vice versa. Instead, a database called token vault stores the relationship between the original data and the token outside the organisation’s internal systems.
Encryption vs tokenization
Before tokenization gained popularity, encryption with reversible cryptographic algorithms was the original choice to protect sensitive data. The choice of encryption or tokenization depends on the specific needs of the user. If the need is for scalability and encryption of huge amounts of data, encryption may be the right choice. If the need is for compliance requirements, then the user may go for tokenization.
Given below is a comparison of encryption and tokenization:
|Mathematically converts plain text into cryptic text using an algorithm, key etc.||Randomly produces a token value for plain text and stores it in the database.|
|Uses a small encryption key to scale huge amounts of data.||Cannot be used to secure huge amounts of data as the database increases in size.|
|Used for structured as well as unstructured data, for example, entire files.||Used only for structured data, for example, credit/debits cards and SSN.|
|Exchanges sensitive data with third parties who have the encryption key.||Cannot easily exchange data as it requires direct access to token vaults containing the token value.|
|Original data leaves the organization in encrypted form.||Original data does not leave the organization; fulfils compliance requirements.|
What are the reasons for enforcing tokenization?
Following are the reasons why the RBI is enforcing tokenization:
- Convenience and comfort of users and smooth operation of digital and online card payment transactions.
- Certain e-commerce entities and several merchants involved in online card payment transactions store actual debit/credit card details of the customer, which is known as Card-on-File (CoF). Availability of such a large amount of sensitive data with so many entities and merchants puts the security and privacy of the cardholders at risk.
- There have been multiple instances in the past where sensitive data stored by entities and merchants have been leaked or compromised.
- Many jurisdictions do not require AFA for online card payment transactions. Hence, any compromise or leakage of CoF can have serious consequences.
- Such sensitive data that is stolen can be used to commit fraud, cheating and theft through social engineering techniques.
- Customers will not have to memorize their card details.
What does the RBI mandate say?
After citing reasons for the enforcement of tokenization, the RBI had stipulated in March 2020 that authorized payment aggregators, networks, e-commerce entities and merchants must not store actual card details and data. This would minimize vulnerable points in the system. As requested by the industry, the RBI extended the deadline to end-December 2021, as a one-time measure.
The process of tokenization
The card-holder/customer can send in a request on the application provided by the token requestor for tokenization of the card. The request will then be transferred by the token requestor to the card network which will provide a token correspondent and unique to the combination of the card, the token requestor and the device. It is important to note that the card network will take the permission of the cardholder before issuing the token.
The tokens are issued by companies such as Visa, MasterCard etc. They act like Token Service Providers (TSP) and issue tokens to e-commerce platforms and merchants. The tokens are used in the place of the cardholder’s details during transactions.
The customer will enter their card details into a virtual wallet such as Google Pay, PhonePe etc. This virtual wallet or platform will ask the TSP for a token. The TSP will ask for verification of the customer’s card details from its respective bank. Once the card details have been verified by the bank, a code will be generated and sent to the customer’s device. This unique code is the token. The token will be linked to the customer’s device and will not be able to reverse or replace.
Now, each time the customer makes payments through his device, the platform will authorize the payment transaction by sharing the token, without sharing the customer’s card details.
An illustration of how tokenization works
- Let us say that a customer uses their card and makes a transaction on a tokenisation-based authentication server.
- He uses a credit/debit card at a PoS machine or an e-commerce market platform.
- The credit/debit card number is transmitted to the tokenization system.
- The tokenisation-based authentication server through its tokenization system produces a 16 digit unique set of characters or the ‘token’ to convert or replace the original credit/debit card number.
- The tokenization system returns the freshly produced 16 digits unique set of characters to the PoS machine or e-commerce site to replace the original credit/debit card number to the system.
- For example, the credit/debit card number 6662 0375 1956 8267 is replaced by the token number 5467 1298 4829 9267.
Who is permitted to tokenize cards?
Card issuers such as Visa, MasterCard etc are permitted to act as TSPs. They are permitted to tokenize and de-tokenize cards issued by or affiliated with them. The TSP tokenizes the card details only with the explicit consent of the customer requiring AFA validation by the customer. This is significant as it takes consent as opposed to forced, default or automatic selection of checkbox, radio button etc. Customers are given the options of selecting use cases, setting up limits etc for the tokenized card transactions.
What happens after tokenization?
E-commerce entities and merchants are permitted to store limited data from the card details – the last four digits of the card number and the card issuer’s name for transaction tracking and reconciliation purposes. This should comply with the applicable standards. The relevant and sensitive details such as the actual card number and token are stored securely by authorised card networks. The card networks must authorize or certify the token requestor for security and privacy in compliance with applicable global standards. The customer can choose whether or not they want to tokenize their card and view the list of entities for whom they have opted for CoF transactions and to de-register or de-tokenize any such token.
How will tokenization help card payment networks?
E-commerce entities and merchants are required to implement the Payment Card Industry Data Security Standard (PCI DSS) compliance. It is said that storing the credit/debit card details in the form of tokens may help save the e-commerce entities’ and merchants’ efforts to implement the PCI DSS requirements.
Tokenization will facilitate and streamline the e-commerce entity and merchant’s authentication efforts by decreasing the number of system components for which PCI DSS requirements are applicable.
Impact of tokenization on customers
In tokenization, multiple tokens are used for the same credit/debit card payment on different platforms. If the platform/website faces a breach of data and the cybercriminal/hacker gains access to the token, they will not be able to decode the token to find out the actual card details. Hence, tokenization will help safeguard the security and privacy of the card details and will be convenient for customers in case of fraud, cheating and theft.
Tokenization allows payment providers to save cards with the use of tokens. This in turn makes recurring payments convenient and safe for the customers.
Previously, the facility of tokenization for card transactions was available and restricted only to mobile phones and tablets of such credit/debit cardholders. The RBI identified the need for improved security and privacy in such transactions and saw it necessary to include other electronic devices and gadgets in the purview of permitted devices and gadgets. Subsequently, the central bank included consumer devices such as laptops, desktops and wearable gadgets such as wristwatches, smartwatches and bands etc and Internet of Things (IoT) etc to enhance its guidelines and extend the scope of permitted devices in terms of card transactions. Although the media might express certain concerns, there is no requirement for customers to enter card details for every payment transaction under tokenization. The RBI mandate is a welcome move in the efforts to deepen digital and online payment transactions in India and to make such transactions private, safe, secure and efficient.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: