Such a message is being sent to customers because the Reserve Bank of India (RBI) has mandated that from January 1, 2022, “no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data.” Instead, cardholders can get digital tokens to complete their online transactions. “Any such data stored previously will be purged” beyond this deadline stated the RBI. Such a measure is being taken to prevent fraud.
Others like HSBC India, SBI Card, Paytm, Phonepe, National Payments Corporation of India (NPCI) have all prepared their tokenisation solutions.
Banks and other payment companies are asking their customer to either opt for tokenising their card details or type out full details each time you make an online transaction.
Uber India, has sent this notification to users of its app, “Provide consent to use saved cards; As per RBI guidelines you need to provide consent while making card payments to use saved cards. Only available in the latest version of the Uber app.” When you give your consent the Uber India app willl tokenise your saved cards and use these tokens for future payments.
Tokenisation is not mandatory for the customer. As per the HDFC Bank website, “a customer can choose whether or not to let his / her card tokenised. If not Tokenised, starting 1st Jan 2022, the card holder must enter the full card number, CVV and Expiry date every time to complete their online transactions.”
What is tokenisation?
Tokenisation is the process of replacing the 16-digit credit or debit card number for mobile and online transactions with a unique digital identification known as a “token”, it is a random string of 16-digit numbers. Payments can then be completed without disclosing the cardholder’s account information. Customers can keep their card details in a secure and compliant manner using these tokens. As your complete card details will not be exposed to merchants.
According to the RBI’s FAQs, “Tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as “identified device”).
“The customer need not pay any charges for availing the service of Tokenising the card,” stated the HDFC Bank website.
Where is tokenisation applicable?
According to HSBC India, the tokenisation terms and conditions are applicable to Mobile Credit Card stored in the Google Pay/Token Requestor mobile application of one the customer’s eligible device for making following type of transactions, wherever available:
- Tap to Pay NFC enabled POS Transactions.
- Scan and Pay Bharat QR code-based Payments at online and offline merchants; and
- Online payment at various online merchants or when the payments services is implemented within the Token Requestor mobile application.
How to get your card tokenised?
According to SBI Card, “You may store a digital version of your Credit Card (i.e. Mobile Credit Card) in the Token Requestor for payment feature on your Eligible Device only if your SBI Credit Card is of a type and/or card scheme designated by us from time to time and is in good standing.
According to Uber India, this how you can use tokenisation on its platform:
- Please ensure you have the latest version of the Uber app
- Book a ride on Uber
- Choose cards as your payment method
- Once the trip is completed, choose a saved card to clear your payment
- A consent pop-up (for tokenisation) will appear on screen. Click on “Agree and Continue” and complete OTP authorisation
This is what HDFC Bank states about registration for tokenisation: The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.