How card tokenisation can make online payments safer

How will tokenisation work?

Following is the token lifecycle:

A. Token provisioning or token generation post user consent

B. Token processing during any new transaction initiated by customer or merchant

C. Token management by user (suspend, resume, delete). In case a user wishes to stop or delete token at a particular merchant, user can easily do that

Benefits of tokenization on your cards

• With rising subscriptions and recurring economy, intent based unique tokens enables users to manage multiple subscriptions (COF or SI) very securely

• Can be used for online card on file and device based tap n pay contactless payment on mobile devices

• Greater protection against data theft due to higher storage security

• Higher customer control to view and manage tokens and set controls

• Bring standardization for card storage across eco system rather than every entity implementing their own standards

Tokenization is much needed shot in the arm towards higher security for online payments. Rising digital payments in India need secure standards for online payments use cases mentioned which are key drivers for tokenization which can eventually dovetail with the broader data protection standards in future.

Visa, the global leader in digital payments, has recently provisioned 100 million CoF (card-on-file) tokens in India. This landmark has been achieved in line with RBI's guidelines on CoF tokenisation, focusing on two key benefits – consumer and ecosystem security and an enhanced checkout experience.

Sandeep Ghosh, Group Country Manager, India and South Asia, Visa, said: "RBI's move to allow CoF tokenisation has truly revolutionized digital payments across India's e-commerce platforms. We have always prioritised providing security-focused tailored payment solutions to customers. In recent months, Visa has worked closely with our banking partners and merchants to drive consumer awareness as well as technology enablement for seamless adoption of card tokenisation."

RBI's CoF tokenisation guidelines mandate replacing actual card data with encrypted digital tokens, which are then used to facilitate and authenticate transactions. This devaluation of sensitive card details alleviates risk and vulnerability of sensitive data, as only tokens are present in transit, across the 'in-rest' and 'in-use' phases.

The guidelines are expected to enhance consumer trust in e-payments, ensure seamless transactions and give card issuers the confidence to authorise a higher number of transactions. As a market leader in digital payments, Visa has been driving the adoption of this capability to further strengthen payment safety in the ecosystem.

Talking to Bizz Buzz, Ravi Battula, Vice President (Merchant Acquiring Business), Wibmo – a PayU company, says, "Like UPI adoption exploded due to interoperability and standards driven, tokenization is much needed shot in the arm towards higher security for online payments for recurring and subscription payments which are on the rise."

There would be initial friction, which is natural with any change at population scale, eventually this will drive higher security across ecosystem for consumers, merchants, aggregators/fintechs, acquirers and issuers.

Tokenization is a process of replacing sensitive information with a non-sensitive information (token) either completely or partially, rendering the token useless for unintended user. Tokens are irreversible, original data can't be derived back using a key unlike cryptographic process. It follows principle of 'pseudonymization' (pseudo anonymization or simply put alias or surrogate) for sensitive data like Aadhar, SSN, credit card, bank accounts, phone, or DoB (date of birth). A tokenization system links the original data to a token but does not provide any way to decipher the token and reveal the original data.

For example, in case of a card/PAN, token PAN generated using the format preserving hash which are irreversible PAN and lunch's check is passed on the same so all the card validations on the token are also successful and follow card network rules.

Any token generated for a card will inherit the key attributes of the original card for e.g. expiry date, product code and card art.

Tokenization inherently uses pseudonymization process to replace sensitive data with random data. Card tokens are intent based which is unique per merchant. Card token generated at one merchant can't be used at other merchant. In case of any data compromise at a particular merchant/entity, it can't be used for any other purpose. Even if the bad actor wants to use the stolen token at the same merchant, they will also need the cryptographic keys to initiate any transactions which is almost impossible to get access to organization's cryptographic keys.

Hence tokenization makes the data storage, data transmission and data usage very secure without worrying about misuse. In this case, user would simply delete/cancel the token for a particular merchant only as opposed to cancel the card and manage storage at all other locations.