If you have switched many of your transactions to non-cash modes in the last few years, you are not alone. More and more retail investors are switching to non-cash modes—for both person-to-person transfers and person-to-merchant transactions. In the current financial year alone, the number of credit card transactions at points of sale (PoS) has gone up from 132.32 million in April to 145.85 million in November 2018, according to the latest Reserve Bank of India data. For debit cards, the volume is up from 333.77 million in April to 376.57 million in November. Volumes have increased for other modes of retail transactions, such as mobile wallets or UPI (Unified Payments Interface), as well.
While non-cash transactions simplify processes and save time and effort, they also make you susceptible to frauds. In order to ensure that you, the consumer, is least susceptible to frauds and your card transactions remain secure, the Reserve Bank of India has allowed card networks like Rupay, Visa or Mastercard to offer card tokenisation service for retail transactions.
After it becomes operational, you may not find a significant difference in the way you do a digital transaction for a merchant payment, in reality, your transaction will become more secure. We tell you what tokenisation is, and how it works and impacts you.
What is tokenisation
When you use your card, debit or credit, for a transaction, the execution of the transaction is based on information like the 16-digit card number, the card expiry date, the CVV as well as the one-time password or transaction PIN. In fact, a transaction is successful only if all of these variables are entered correctly for a specific transaction. Tokenisation refers to replacement of actual card details with a unique alternate code, which is referred to as the “token”. This token is unique for each combination of card, token requester and device.
“Tokenisation devalues and depersonalises card data. The tokenised information is not in the form that we usually see it. Instead of normal card details, for each transaction, there will be a unique and dynamically generated value that the merchant and the acquiring bank can understand,” said Niranjan Kumar Upadhye, general manager, fraud risk management division, Worldline India, a payments processing company.
As a consumer, you don’t really get to see the token, it is more like an encryption key or a hash. “How it usually works is that the token is generated by a container app. This generated token is shared with the merchant using modes like QR code or NFC (near-field communication) or server to server,” said Harshil Mathur, chief executive officer and co-founder at Razorpay.
For instance, Mathur said, Google Pay supports tokenisation across the world, and may soon do it in India too. How it works globally is that you save your card details with Google Pay. When you pay to a merchant via Google Pay, it will ask you which card you want to use. Once you choose the card, Google Pay will generate a token and share it with the merchant. The merchant will receive it, in whatever mode it is in, and use it to process the transaction. Here, the transaction will get completed, without the merchant and the point of sale terminal actually getting the card details, he said.
How secure is it?
With the rapid growth of digital payments and card transactions, merchants process millions of card transactions in a day. At the check-out, many of these merchants give you the option to save the card number, and there is risk of these saved details getting compromised. “In an effort to make the check-out as seamless as possible, more merchants are saving the same card numbers. This makes the risk exposure go up, because any hack in any of these systems will create a security risk and compromise the consumers’ card details,” said Ajay Adiseshann. founder and chief executive officer, PayMate, a digital payments solution provider.
When the card details are not saved on these platforms, or are saved in an encrypted manner, the risk of compromised data leading to fraudulent transactions as well as cancellation and re-issuance of tens of thousands of cards is avoided or reduced. This means your risk gets reduced when you share a token with a merchant. “If a card detail gets leaked out, then cancelling and getting a new card is a tedious and long process. But if a token is leaked, it is much simpler to cancel. In fact, the token cannot be used by the merchant or anyone else for any other purpose than it was actually intended for,” Mathur said.
These tokens are specific to a card, transaction and device. Moreover, Adiseshann said, several other permutations and combinations can be incorporated in a token to include other variables like value and time of transactions to make it unusable for any purpose other than it is actually intended for.
All of this processing will happen at the back-end of the transaction, and very little would change for you as a consumer. Moreover, RBI, in its notification, said there would be no additional charges for the service for a consumer.
Why just for cards
However, one of the key questions doing the rounds is: why is this measure being adopted only for card transactions? After all, other forms of cashless transactions such as Netbanking, mobile banking as well as UPI are also growing rapidly. The answer is: because UPI has been designed keeping in mind current technology, while card designs used older technology and need an additional layer of security like tokenisation. “If I have a UPI handle (of someone else), I cannot do anything with it, it is just an identification. But if I have card details (of someone else), I can actually do a transaction. A card number is more than just an identification,” Mathur said.
Similarly, Netbanking also has in-built security features like restricting the daily transaction amount, apart from the multiple factor authentication. Not just that, banks are constantly employing methods to make transactions safer and simpler as well as monitoring transaction patterns. “There are some innovative ways of authenticating a transaction, if it is coming from an unusual IP address or a merchant where you have not transacted before. If somebody who is not accustomed to a particular transaction or type of transaction, banks may throw up an additional challenge for the user, which is called a step-up authentication. It could be by way of asking a secondary password or any other detail that only you would know,” Upadhye said.
Token or no token, it is important to maintain basic hygiene while using digital payments. Do not share sensitive information like card details, security PIN or one-time passwords with anyone. Also, be cautious while using cards for payments on lesser known or untrustworthy platforms.