What is RBI tokenisation? Will your online shopping change?

RBI has brought in new rules to do online transactions starting January 2022, which is expected to be a step towards reducing the impact of data hacks by companies. Instead of saving card details on the payment platforms like Amazon, customers will now have to create a token on each shopping portal (which once created will be saved for future use like saved cards), and use this token for every purchase thereafter. This was done to reduce the data available to hackers if the shopping portals were to face a data breach issue. But how did we reach here?  

THE SITUATION AT HAND 

Take an (fictitious) example. Rajshekhar, a corporate employee of a Delhi-based company was aghast when he saw a barrage of messages in his inbox. His card had been swiped for a total of Rs 60,000 while he was busy at work and he had no clue about it because his card was in his wallet all along. He couldn’t believe his eyes when he read about the Domino's data breach in the news. He had just hosted a birthday party that weekend, and the pizza was ravished by all of his friends. Did someone get his account details by any chance?

His fears came true when he read about how the Dark Web sold this stolen data from data breaches for a cheap US $5 (that's less than Rs 400). Someone had used his card (before he could block it), changed the password, and accessed his account from another device. Now he couldn’t even access the app.

THE PROBLEM

This problem is faced by millions in the world and has a multifold impact because data breaches like this feel scary. No one in their right mind would want their private data public and more instances like this will make people lose trust. Loss of trust means loss of online sales in a world where everyone is moving towards online sales. No one wins in the end. Sure, saving your card details on platforms are convenient for your sales; but when these platforms face data breach, the risk to customers and the companies is huge! They lose reputation and are required to face legal and financial repurcussions. Not to mention the threat of possible blackmail.

So RBI, the official money protector of India, has come up with a new guideline where e-commerce companies will not save card details on their platform.

HERE IS THE PLAN

Till date, we all keyed in our card details on platforms and payment gateways (like Amazon) and then used it for our subsequent purchases because they were our "Saved Cards" and details of our card number, CVV and OTP were already saved.

Going forward, banking companies will use a 'tokenisation' system to make online payments where token numbers will be saved instead of card numbers.

As per the system, payment gateways and platforms cannot save your card details any more. A unique token will be generated when you transact the first time, and this token will be saved on your shopping platform. Your unique token will be 'card-specific' and be relevant to one platform at a time. It will mask your card details and will also be available to specific devices that are selected by you. This saved token can be used for repeat payments.

So, users will have two modes of payment now:

1. Before you buy an item, make a token and save it on the particular website for future use. Opt for tokenisation when you pay. 
2. Or enter your card details every time you buy stuff off the internet.  

HOW WILL THIS WORK?

1. You go on your merchant website (Domino's, for example) when you place your order and opt for tokenisation. Once you give consent for tokenisation, your merchant (Domino's) will forward the payment request to Visa or Mastercard (i.e., your card network). 
2. A 16-digit token is generated by Visa or Mastercard (that resembles your card number) and sent back to Domino's, which will be saved for you on the Domino's portal by Domino's. Now, the next time you come back to shop, just select this saved token at the time of checkout, enter your OTP and CVV to approve, and complete your transaction.
3. You will see the same masked card details and last four digits of your card number. You won't need to remember your token and your shopping experience won't change. Except, it will be a little safer. 

BUT WHAT IF YOUR TOKEN NUMBER GETS LEAKED?

A token number is unique for each website and will be available for a set device only. So, even if your friends know your token number, they need your device for the same. So that reduces the risk portion.

TOKEN MANIA

A person will have one token for one card, and a different one for each merchant. An ICICI card, for example, will have one token for Amazon purchases, another token for Myntra purchases and another for Flipkart.

If you have many cards, there will be a dashboard on the bank website to indicate the list of tokens and the respective merchants that use the same. You may delete the tokenised cards of websites you do not use frequently. If your card gets expired or replaced, you can visit the page of the merchant and create a fresh token for the new card.

Do you think this is safe enough?