The RBI has issued a final circular making card (CC/DC) tokenization mandatory from January 1, 2022. Based on the interactions conducted, Emkay Global Financial Services is of the view that the card tokenization will be a near-term irritant but long-term positive. It will alleviate security concerns for online transactions, may deter cardholders from making low-value online card payments.
"Card tokenization is a process of substituting sensitive customer data (such as card number, CVV, etc.) with an algorithmically generated token (encrypted) by a token service provider, which could be the card issuer or payment networks. The token flows through the payment system in a secured way without disclosing the customer details or allowing the payment intermediaries (merchants, payment aggregators) to store customer data. This is mainly to ensure customer data safety/security and curb rising instances of fraud/hacks. Any previously stored data (card-on-file) by merchants/payment gateways will have to be erased," Emkay Global has said in a release.
Tokenization as a security enhancement measure is used in many countries, including North America, Asia and selectively in India also. HDFC Bank, ICICI Bank and SBI Cards already have the card tokenization system in place for online transactions, while few players have device-based tokenization (SBI Cards with Samsung) for contactless NFC payments. Instead of creating/using own token generating engine, using the payment networks' (Visa/Mastercard) engine will be far more cost-efficient and technologically advanced and will have merchant acceptability.
Card tokenization is mainly for online transactions, for which, effective January 1, 2022, customers will have to key-in the card number for the first time (as the stored number will be erased) and complete the transaction via a two-factor authentication. At the back-end, a token would be generated by the merchant with the card issuer/network partner, based on which the transaction will be completed.