From UPSC perspective, the following things are important :
Prelims level : Tokenization
Mains level : Transaction safety
The RBI’s deadline for tokenization of cards used in online payments passed on 30 September.
What is Tokenization?
- Tokenisation refers to the replacement of credit and debit card details with an alternative code called a ‘token’.
- This token is unique for a combination of card, token requestor (the entity that accepts a request from the customer for tokenization of a card and passes it on to the card network to issue a token) and the device.
How does it work?
- Tokenizing credit and debit cards is a way to reduce the number of places where your card data can be found.
- For instance, payments on Uber showed a warning that your card data will be saved with payment gateways such as Visa and Mastercard.
- What it is saying is that a merchant like Uber will have to work with payment networks like Visa to convert the card details into a digital token, which is then used to validate transactions.
- As a result, the card details you enter on the Uber app, or any online platform, are not stored on the company’s cloud servers, and are hence more secure.
What is the digital token being used?
- The digital token is a randomized string, usually alphanumeric. So, a 16-digit card number gets converted to something like 8f9%yf57ljTa.
- It is generated by computer programmes, and the card network tags the token to your actual card details, and relays the token to the merchant.
- When payments are to be requested, the merchant sends this token to the card network, which matches it against the saved details and validates the transaction.
- A third party accessing the token won’t have use for it, since tokens will be unique across combinations of card, token requestor and merchants.
Who can offer tokenization services?
- Tokenisation can be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only.
- Adequate safeguards have to be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network.
- RBI has emphasised that the integrity of the token generation process has to be ensured at all times.
Benefits of Tokenization
- Transaction safety: Tokenization reduces the chances of fraud arising from sharing card details.
- Easy payments: The token is used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.
- Data storage: Only card networks and card-issuing banks will have access to and can store any card data.
How were the transactions processed?
- There are many players involved in processing one card transaction today:
- Payment aggregator
- Issuing bank
- Card network
- When a transaction happens on a merchant platform, the data is sent to the payment aggregator (PA).
- The PA next sends the details to either the issuing bank or the card network.
- Then issuing bank sends an OTP and the transaction flows back.
How will tokenization prevent online fraud?
- Card details saved on an app are stored in cloud servers, which if hacked, can give the hacker access to information like card numbers, expiry dates, name of holder etc.
- Though most merchants put special mechanisms to store card details in an obfuscated manner, it’s much more difficult to hack a bank or a Visa than it is to hack websites and apps.
How does it differ from encryption?
- The primary difference is that the token cannot lead one to the card details.
- In encryption, a computer program obfuscates data using an encryption key, and this key can turn the data back to its original form.
- In tokenization, however, there is no way to know what data a token represents unless one has access to the databases of the actual issuer of that token.
- In many cases, laws don’t consider tokens as “sensitive data”, and hence, companies don’t have to ensure the same compliance to protect them.