You switch on your laptop to get some work done. You open your email on the side. There is a mailer from a shopping website about a new product they have launched. Curiosity piques your interest, and you obviously want to see what it is about. One thing leads to the other, and pretty soon, you have a virtual shopping now filled with 3 items that you feel are very much needed in your life. This virtual shopping card will now need to be paid for with real money, to get these things to descend at your home address, in reality. This is where you pause. To reconsider. Credit and Debit card transactions, ask any average user in India, are still a slightly scary prospect. The idea of punching in the card number, the expiry date and the CVV code into a system still elicits visions of giving your precious financial data to a faceless entity. You really don’t know where the details are going, how safe are they, how well will they be safeguarded, and will the transaction be authentic.
The Reserve Bank of India (RBI) has stepped in to assuage some of these fears, with a new set of guidelines for credit and debit card transactions. Here is how it’ll work, and this is what you need to do.
The central bank is introducing a system called ‘tokenization’, which means you as a user will be able to create an alternate unique code that can replace the actual credit or debit card details while making a transaction or payment. This 16-digit code, known as token, will be unique for every credit or debit card. The idea is to prevent skimming of card data, and subsequently prevent fraudulent transactions—this can be particularly scary for debit cards, which are linked directly to your bank account.
These tokens can be used for payments for online transactions, in-app transactions, point of sale terminals, quick response (QR) code-based transactions, near field communication (NFC) and magnetic secure transmission (MST) transaction methods. Basically, whether it is shopping online, making an in-app purchase in the PUBG game that you are addicted to, making bill payments or paying for a purchase in a physical store, you will be able to generate a token that will only be saved in the payment system for the payment to be released—at no point will the system be able to read your original card details, or trace back to them at any time.
The idea is to not have you save your actual credit or debit card data in an app or e-wallet, for instance, or reveal that at a brick-and-mortar store while making a purchase.
Initially, you will be able to generate a unique token for your credit or debit card using a mobile phone or a tablet to connect with your card provider, though the service will be extended to other devices soon, says the RBI. “For the present, this facility shall be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained,” says the official circular issued by the RBI.
The RBI has made it clear that you don’t have to pay anything to get a token for your credit or debit card, and the service is free of cost. As per the guidelines, the tokenisation and de-tokenisation can be performed only by the authorised card network (such as your bank or credit card company). It is expected that credit and debit card networks such as Mastercard or Visa will work with issuing banks such as HDFC Bank, Standard Chartered Bank etc. to enable tokenization across the cards issued.
The access to the original Primary Account Number (PAN) should be feasible for the authorised card network only, and cannot be accessed by any third party. At no point can any third party also get access to your original credit or debit card details, by trying to trace the generation of the token. In case you lose the phone or tablet for instance, which was used to generate the token or save them for access, the RBI has mandated that the authorised card network to have an easy method in place to report such instances and generate new tokens instead.
The tokenization process will be slowly rolled out by banks and credit card companies, but this is surely something that could ease the fears of a lot of card holders. A lot will depend on the implementation though, which we hope is smooth and easy for users to decipher.