The digital payments industry in India has grown manifold. As per stats, more than 40 billion digital transactions having a total worth of a quadrillion Indian rupees were recorded in the year 2021. While the supportive government initiatives and fintech innovations tend to shape the market, there is a darker side to it.
As per RBI data, cash still remains the most preferred mode of payment followed by digital payments. On one side, there is the convenience of making online payments. On the other, many people feel the risk of sending payments through different modes online.
A recent survey conducted by ACI worldwide reveals that around 71% of consumers are concerned about online payment scams and frauds, particularly during the Covid-19 pandemic.
As a step towards ensuring enhanced security of digital payments, the government has introduced the process of tokenisation. Let’s find out what this is all about and how it can benefit both consumers and businesses in India.
What is tokenisation?
Tokenisation refers to the process of exchanging sensitive consumer data in the form of non-sensitive tokens. In other words, tokens are a unique set of characters related to digital payments that retain the essential information without compromising the security of underlying sensitive data.
In technical terms, tokenisation also refers to the process of replacing the 16-digit card account number with a unique identifier, known as a token. This tokenized data is irreversible and undecipherable as there is no mathematical relationship between the randomly assigned token and the original number it replaces. It also allows secure payment processing without exposing sensitive data that could result in a security breach.
Tokens in Tokenisation – Example
Think of a token as a piece of data that stands for some other more valuable piece of information. It has no value of its own but is useful as it represents sensitive information.
A good analogy of tokenisation in real life is the game of poker. In this game, players use poker chips as placeholders for actual money instead of filling the table with cash. Even if they get stolen, the chips cannot be used as real money.
For low-value transactions like one-time debit card usage, single-use tokens are generated that do not need to be retained. On the other hand, multi-use tokens are used for recurring transactions from a consumer’s credit card.
Given below is a table that covers the two types of tokens involved in the payment process:
|Type of Token||Details and Example|
|Format preserving token||It maintains the appearance of the card details.|
For example: A 16 digit card number – 1111 2222 3333 4444, will be converted to a token that also has 16 digits in it, like 9999 8888 7777 6666.
|Non-format preserving token||It does not resemble the original card number being saved, and may include alpha-numeric characters.|
Example: For the card number mentioned above, the token can be of the form:
Purpose of Tokenisation
The primary purpose of tokenisation is the protection of sensitive payment-related information to preserve its utility. Using this process, organizations can continue to use the tokenized data for business purposes without worrying about the compliance issues related to storing sensitive data internally.
Process of Tokenisation
Here’re the steps involved in the process of tokenisation right from the moment a customer uses his card details for payment processing (assuming the use of a credit card as an example):
- A customer uses his credit card to place an order online
- The linked tokenisation system then receives the credit card number to generate a 16-character string or token
- The system then returns the generated token to the e-commerce portal where the order has been placed
Impact of tokenisation on online businesses
Tokenisation benefits online businesses in several ways, as given below:
- It eliminates the need for actual storage of card numbers and other sensitive information within their POS machines or internal systems
- It helps improve data security from the point of data capture to its storage
- It minimizes the risk of security breaches and data theft which can cause significant losses to the merchants
How does tokenisation benefit customers?
Customers benefit from tokenisation because of the very fact that their card details are less likely to get hacked. The lesser risk of financial theft or fraud makes them trust digital payments more than paying in cash.
Since different tokens are issued for the same card payment on multiple platforms, it helps prevent the risk of fraud. Even if a hacker gets access to the token, it is difficult for him to reverse engineer the actual card details from it.
Tokenisation and PCI DSS Compliance – correlation
Tokenisation process is closely related to PCI DSS compliance. If you own an e-commerce business, you must know the principles that connect these two ends of digital payment processing:
- PCI DSS compliance validation is a must even when you have a tokenisation system in place to process online payments. Tokens may simplify your validation efforts by reducing the number of components on which PCI DSS requirements are applicable.
- As an online business owner, you must verify the effectiveness of tokenization process implemented in your system. This is to ensure that card details are non-retrievable from any component removed from the scope of PCI DSS.
- Protection of tokenisation process with strong security measures is a must to ensure continued benefits.
- Different businesses deploy different tokenisation solutions, which may vary greatly in terms of deployment model, technologies, and processes involved.
- You can also use both tokenisation and encryption solutions to protect sensitive data depending on the use cases.
You May Also Like to Read: What is PCI-DSS Compliance & Why It Matters for Your Business
Role of RBI in tokenisation
- With more and more Indians switching to online payments in 2021, the safety of their financial data has become paramount. Keeping that in mind, the Reserve Bank of India (RBI) began revitalising the transaction security mandate in the country and brought tokenisation into play for specific use cases in 2019.
- The central bank then issued new digital payments guidelines in 2021 that require banks to notify their customers about recurring debits before and after the transaction, starting Sep 30, 2021. It is independent of the digital payment mode used for a transaction.
- The RBI also released the PAPG (Payment Aggregators and Payment Gateways) guidelines that address the security concerns related to storing Card-On-File (COF) data. As per these guidelines, merchant sites are not allowed to save customer card details.
With all these mandates and guidelines, RBI’s motive is to reinforce the security of card data without affecting the convenience of digital payment transactions.
Role of card payment networks in tokenisation
While different payment service providers have come up to facilitate online payments, the authorised card networks are responsible for tokenisation services.
Before offering these services, the authorised networks need to have a periodic system in place (at least annually), including security audit from CERT-In, of all entities involved. Besides this, they also have to deploy a mechanism to ensure that transaction requests originate from identified devices only. They are also responsible for monitoring the system for any malfunction or suspicious behavior.
As per the recent RBI notification about tokenisation of card transactions, authorised card networks are permitted to offer card tokenisation services subject to various conditions.
Difference between tokenisation and encryption
Many individuals consider tokenisation as a synonym for data encryption, which is not true. Although both the processes may seem to work on ensuring data security, there are finer differences between the two.
Encryption Tokenisation Used to transform plain text into cipher text mathematically using an encryption algorithm Used to generate a random token value for plain text and then stores the mapping in a database Used for structured and unstructured data fields Used for structured data fields, like card details Easy to scale to large data volumes using a small encryption key Difficulty may arise to scale securely as database size increases Comes with a tradeoff of lower strength with the format-preserving encryption schemes Easy to maintain format without losing strength of data security Make the original data leaves the organization but in encrypted format Does not require the original data to leave the organization, which satisfies various compliance requirements
What is detokenisation?
The process of converting the token back to actual card details is known as detokenisation.
What is the benefit of tokenisation?
A tokenised transaction can be considered safer and more secure because the actual card details are not shared to process the transaction.
How does tokenisation happen?
The card holder needs to place a request on the application provided by the token requestor, which will then forward the request to the card network. With the consent of the card issuer, the card network then issues a token based on the combination of card, token requestor, and device in use.
How much does a customer need to pay to avail tokenisation service?
There are no charges to be paid by the customer to avail this service.
Who are the stakeholders involved in the tokenisation process?
It involves merchants, card payment network, merchant’s acquirer, issuer, token requestor, and customer.