Explainer: How to tokenize credit/debit cards; what happens if you don't

HYDERABAD: Consider the following headlines: 'Debit, credit card frauds on the rise', 'Banks see a steep rise in frauds', and 'Customer card-data leak cases seen increasing'.

Such reports are seen to be increasing by the day, with online fraudsters using advanced coding techniques to access and use customer debit/credit cards data.

The Reserve Bank of India (RBI) has announced a new rule, in which all credit or debit card transactions would be tokenized, reducing the risk of credit/debit card related frauds. The new rule is applicable to all card transactions, whether made online or through Point of Sale (PoS) devices. The rule will come into force from October 1,2022.

The precise intention is expected to reduce the risk of card data being leaked to fraudsters.

When a debit/credit card is used for a transaction, certain data, like the card number, CVV, expiry date, and personal information of the card owner, gets stored in the device on which the transaction takes place, be it our device (mobile phone or laptop or desktop) or the merchant's device (point of sale machine). There is every chance that this sensitive information could be gathered by fraudsters if the users'/merchant's/ website's database is hacked/compromised.

With tokenization, whenever a card transaction is made online, a token would be generated, just like a transaction ID.

Each card would have one token for one particular merchant (like Amazon, Flipkart, Swiggy, Zomato and a host of others). After the transaction, only the token, which is an encrypted code, would be saved in the database/device. No other information of the card or the customer would be stored in the servers.

To understand the rule better, here is an example of how tokenization would work:

A customer 'XYZ' has a credit card of A-bank. She uses the A-bank card to purchase groceries online. She entered A-bank details on X-app and received a One-Time Password (OTP) from the bank. After entering it, a token was generated and permanently saved on the X-app and her card details were automatically removed from the server. The next time she wished to order something from X-app, her token would already be there and she would just have to use her CVV and OTP to finish the transaction. Now, knowing that her card details were not being saved online and that she didn't have to enter card details for every transaction, she opted for tokenizing her card on every site that she shops from.

With no data of the card or the customer information being saved online after any tokenized transaction, the risk of fraud is reduced. The card becomes secure or tamper-proof. Customers would experience ease of transactions as they would not be asked to enter the entire card details every time they wished to make a transaction.

A customer can choose to register or de-register from tokens. They can also de-register from tokens associated with recurring transactions.

From October 1, all the existing data with merchants/websites would also be erased. Customers would not be forced to save card data on any platform.

Customers can tokenize their cards whenever they enter into a merchant website or app, as there would be an option of 'save card as per RBI guidelines' which would ask the customers to enter the card details and generate the token using an OTP. Once a token is saved for a particular card in a particular website, the user would not have to enter card details repeatedly.

They can also opt to de-register from sites which they do not often shop from.

It is not mandatory to opt for tokenization and it would not affect regular transactions. However, those who didn't tokenize their cards would have to enter card details each time they choose to make a transaction.

Tokenization is completely free of cost and would not burden the customers or the merchants.