More than a ‘token’ step | #cybersecurity | #cyberattack | #education | #technology | #infosec

By Sanjeev Moghe

Digital payments in India have seen multi-fold growth in recent years, and adoption of this mode is slated to grow at an even quicker pace over the next decade. This growth has been characterised by deepening of digital payments and a proliferation led by a wide variety of options and easy checkout processes. Besides, adoption by customers across socio-economic segments and geographies also made this leap possible. 

One of the major components of payments in the digital mode is through credit and debit cards, details of which customers save with merchant platforms. Current ecosystem allows card details, such as number and expiry date, to be stored by the merchant for subsequent orders and customers can enjoy a convenient and fast check-out by just keying in CVV and OTP inputs for shopping, or perhaps to buy train and airline tickets.

While convenience is a major feature of digital payments, it is important for users to be familiar with important safety and security aspects of such payments. There may be a risk to saving card details with different merchants, as over a period of time the customer may lose track of such cards and may become prone to online frauds.Banks and payment networks do strive to make the payment journey quick and hassle-free by removing friction elements, however, hackers may manage to access card details by using malicious software in some cases.

This gives hackers access to all your financial details and results in fraudulent transactions and loss.To mitigate this risk, the Reserve Bank of India mandated all industry participants to work on an equally seamless but a more secure solution, referred to in the market as ‘tokenisation’. Effective July 1, merchants and payment aggregators will not be able to store customers’ card information and any previously saved information would need to be purged.With the introduction of tokens by merchants, only authorised merchants would be able to send you the payment links, which wouldn’t ask you for card details but instead display the token issued against that card, thereby preventing hackers from getting access to any of your financial details.What is tokenisation?

A token is a 16-digit number unique for a combination of card, token requestor and merchant. By tokenising the card with a merchant, the actual card details of the customer are replaced with token credentials, which can be used only for the merchant for which the token has been created. The token requester facilitates token generation for the merchant, certified as per globally accepted standards for safety and security.Once merchants are ready to enable tokenisation, customers will be asked whether they want to tokenise their card details at the merchant end while initiating a transaction.

If the customer opts-in, a token that is unique to the card and the merchant will be generated. These token card details will be stored by the merchant and for subsequent transactions, the customer can just select this tokenised card (where the last 4 digits will be the same as your original card) and complete the transaction as earlier. Since the original card details are not saved anywhere, it minimises security risks.Already, merchants and banks have been advising customers to tokenise their card details at their frequently used apps/websites to ensure seamless usage. One may have already noticed that different apps have started asking customers to tokenise their cards.

Customers can expect remaining merchants to also be live by the end of the June 30 deadline with the proposed changes.Since the tokens are unique to each merchant, customers will have to tokenise their cards with each of the merchants separately. So, multiple tokens for multiple merchants. Most large banks, including Axis Bank, have made necessary changes at their end to become compliant with the new guidelines. Many large online merchants have also incorporated changes at their end and customers can tokenise their cards and save details even now.Once tokenised, customers can continue to do transactions as usual.

The last four digits of the tokenised card will be visible to the customer, along with the bank name. Customers can select the saved card details and pay, as is done currently. The important question one may have in mind now is: Once these new storage rules come into effect, do customers who miss the deadline go through the inconvenience of entering the full (16 digits) card number along with expiry and CVV each time for an online transaction?

The answer is a big and resounding ‘no’.The recent Card-on-File Tokenization guidelines introduced by RBI pave the way for more secure storage of card details while maintaining the same ease of checkout—no need to enter 16 digits each time. Customers can tokenise their card details with the merchants and payment aggregators anytime.

EVP & head-cards & payments, Axis Bank