Explained: What’s tokenisation and how it will impact online payments

Come January 1 and all online merchants will be required to ‘tokenise’ your debit and credit card details, in a bid to make online payments safer and hassle-free.

But the rollout could be far from smooth, if recent news reports are anything to go by.

A report by business news website Moneycontrol says that while large payment service providers and card networks are ready for tokenisation, customer adoption and last-mile integration is unlikely to be completed by the deadline.

The report notes that in case any part of the ecosystem is not fully prepared, the impact will be far-fetched, as tokenisation impacts all online payments.

But first things first, what really is tokenization?

According to the Reserve Bank of India (RBI), which has mandated the new move, tokenization refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of device, card and token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token).  

So, what is the benefit of tokenisation?

The RBI says that a tokenised card transaction is safer as the actual card details are not shared with the merchant at the time of processing a transaction.

Does the card holder have to initiate the process for his or her card to be tokenised?

Yes, according to the RBI, a card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.

Is the service free for customers?

Yes, the RBI says that the customer does not have to pay any charges.

Can tokenisation be enabled through a smart watch or such other devices?

The feature of tokenisation is restricted to mobile phones and / or tablets only, says the RBI.

Have any big payments service managed to tokenise cards across all the major providers?

Flipkart-owned payments app PhonePe claims to have become the first payments platform to tokenise cards on all three major payment networks—Visa, Mastercard and Rupay.

PhonePe’s tokenisation solution ‘PhonePe Safecard’ will help businesses save significant time and effort by removing the need to integrate with multiple card networks while complying with RBI guidelines, the fintech firm says.

PhonePe says it has launched a tokenisation solution for debit and credit card transactions. This, it says, enables businesses to offer tokenisation on their own platforms via simple API integration and a minimum turnaround time. With this solution, businesses can create, process, delete and modify tokens for online card payments with customers’ consent, the company said in a statement.

With this solution, customers can securely save their cards issued by all three major networks minimising any chance of transactional fraud, it said.

Apart from PhonePe, Razorpay and PayU are also ready with their tokenisation products.

So, where is the big problem still?

The problem, says Moneycontrol, is that less than a fortnight before the January 1 rollout, banks, card networks such as Visa, Mastercard and RuPay, and payment gateways are yet to fully integrate the new Card on File Tokenisation (CoFT) payment method. While there is partial preparedness, no part of the payments ecosystem has told the RBI that more time is required for a non-disruptive implementation.

Beyond payment gateways and card networks creating tokens, work needs to be completed on two more fronts. One is integrating multiple internal systems for various kinds of payments, including EMIs and recurring payments, to tokenisation. The other is customer education.

Ok, wait, so what is this CoFT now?

Nothing new. CoFT is basically jargon for the whole process of tokenisation explained above. CoFT refers to the replacement of actual card details with a code called a ‘token’, which will be unique for every debit or credit card and merchant platform where the card is being used.

In the absence of an alternative such as CoF Tokenisation, customers who wish to use their credit or debit cards will have to enter their details afresh for each transaction, including their 16-digit card number, card expiry date and card verification value (CVV).

So, should customers and merchants alike brace themselves for disruptions?

Yes. For one, customers at large will have to be made aware of this whole process of tokenisation.

In fact, as the Moneycontrol report points out, if things don’t go smoothly, January will see the industry suffer a second major disruption just months after the central bank’s recurring payment norms led to failed subscriptions and revenue losses for small businesses.

In case any part of the ecosystem is not fully prepared for tokenisation, the impact will be far-fetched, even larger than the recurring payments disruption. That is mainly because recurring payments make up only 3% of all payments in India, while tokenisation impacts all online payments, the report notes.

Could the January 1 deadline be extended?

Possibly yes, given the massive disruptions it could lead to. But there is no clarity on that yet.