Card Tokenisation: Will Your Online Shopping Be As Easy As Before?
Yes, online shopping via cards is set to change. No, it won't become tougher. Don't grumble!
Like something? Need something? Add to cart, proceed to buy, select saved address and card, enter OTP and your order is on its way.
But, online shopping using a debit or a credit card is set to change. At least a little. While barring merchants from saving card details, the Reserve Bank of India has said "tokenisation" can be used as a way to ensure convenience and safety.
Starting Oct. 1, you and I will no longer be able to save card details on our favourite shopping sites. Instead, card tokenisation will allow networks to create a unique alternate code or token for you, which masks your actual card details.
The move is yet another bid to counter frauds that are on the rise. It should help. Unless you yourself happen to share your card details and OTP with a caller from Jamtara!
How Do You Generate A Token?
The first question to your mind may be — how do I generate a token?
Fali Hodiwalla, partner, financial services consulting at EY, said the process for tokenisation is straightforward with the cardholder initiating a request and providing consent for tokenising the card.
This request can be placed via the website you are shopping on. The site further approaches the card network — Mastercard or Visa — for a token.
Once generated, your token can be saved on the site and you can shop on.
So, Will I Need Multiple Token For All My Favorite Sites?
Yes. The first time you go to any site, you will need to generate a token. But once done, that token will remain active on the site. It's not very different from you punching in your card number on a new website and hitting 'save card'.
Usually, tokens can be for multiple use cases, said Mihir Gandhi, partner for payments transformation at PwC. A token can be generated for one transaction for one card or for a limited period of time. However, what is likely, is that tokens will be generated in a way that they can be used for multiple transactions thereafter on the same site.
Sanjeev Moghe, EVP and head for cards and payments at Axis Bank, said details on the type of tokens that will be generated will be worked out over the next few months. Every unique site or app the merchant uses will have a unique token number, Moghe said. A token will not be for use across merchants and for each site or application, a different token number will have to be generated, he said.
Will I Still Need An OTP?
Yes. Two-factor authentication will remain, Moghe said.
Shopping On App Or Website. Will It Be Any Different?
Gandhi explained that with the recent notification, tokens are permitted on a web browser as well as apps. This makes it a level-playing field for a customer irrespective of whether he wants to use the app or a web browser, he said.
Earlier it was largely binding on apps and devices.
Ease Of Use — A Step Back Or A Step Ahead?
Moghe of Axis Bank thinks there will be no reason for consumers to grumble.
The card number, expiry and CVV will now just be encrypted differently. A customer will instead plug in the card specific token for use in all online transactions on a specific portal.
Hodiwalla also said tokenisation would provide for a smooth customer experience while ensuring that the regulator's concerns around safeguards around storing of payment credentials are addressed as well.
Some UX modifications will be worked out to make customer experience easy, Kumar Rajagopalan, chief executive officer of Retailers Association of India, said. "India has found big success with OTP for transactions which many advanced nations do not have. Similarly tokenisation too will create an ease to pay securely," he said.
There will always be small challenges at the start, Gandhi said.
The adoption of UPI, for instance, has risen over time. The customer will need some education and awareness and to try it out. "Once people are hooked onto it, it's an easy process similar to what we have today," said Gandhi.
Security Is Key
Almost everyone agreed that the RBI's new plan will enhance safety.
Increasing usage of online payments by consumers has also brought about the need to secure consumer data, Rajagopalan said. Most offline retailers were subject to various checks including the earlier card industry data security standards. However, online payments have created the need for the RBI to secure payments done online without compromising customer financial data, he said.
Tokenisation is an attempt to give customers a better sense of security.
Most importantly, in the case of a breach, card data is protected.
In the event of a data breach or hacking attempt at the merchant's end, the customer's card details will still be protected, Moghe said.
(Updates an earlier version published in September 2021 to change the tokenisation rollout deadline to Oct. 1)