The Reserve Bank of India (RBI) has permitted tokenisation of debit and credit cards with a view to enhancing data security and prevention of hacking of sensitive information. Currently, tokenisation can be done in India through one’s smartphone and tablet and not with other devices.
Let us understand what tokenisation is all about:
What is a token and how is it different from encryption?
Your card contains a 16-digit number with a security code. When this is hacked, or someone lays his hand on this piece of data, he can possibly misuse your card. To nip this mischief in the bud, ‘tokenisation’ was brought in. It is akin to a surrogate number except that it is randomly generated by the card company’s system through a complex algorithm using the card owner’s details and the transaction underway, i.e. the merchant establishment’s details.
Tokenisation differs from encryption significantly. Encryption is not fool-proof. The one with the decryption key can penetrate the secret codes but with tokenisation this is not possible because it is randomly generated afresh each time by the system. Only the card company would be able to relate the token with the primary account number (PAN) of the card holder like his card number, bank account number etc.
An analogy is in order. Some banks earlier allowed online card payments to go through on entering the registered secret code. While this was good, it wasn’t good enough because the secret code can also pass into wrong hands. The RBI rightly started insisting on OTP because OTP is generated afresh each time a transaction is sought to be put through just like a token except that a token is more complex containing alpha-numeric unique codes derived from the card holder and the merchant.
Where can I use the token-based cards?
Instead of using actual card details, this token is used to perform card transactions in contactless mode at point of sale (POS) terminals, quick response (QR) code payments. In other words, you flash your android smartphone to the cashier in a store whose scanner captures the token, thus triggering the payment process
How do I get started?
There is an Apple Pay app just as there is an android pay app, for example. These two are the most popular smartphone technologies and hence used as metaphorically in this discussion. On your android phone, snap the card with its details. Immediately the app converts it into a token thus securing you immediately. This token number is immediately sent to the card company.
When you go a merchant establishment which is on the Visa or MasterCard token platform, the process of payment verification and authorisation kicks off as earlier but with a difference—both the payer and the merchant are sent the freshly generated token along with the amount. He then explicitly approves payment as usual by clicking the ‘confirm’ button which completes the process. In other words, apart from the first round of registration, there is an additional safeguard of fresh randomly generated token for each transaction.
How is token different from the existing mobile payment services like UPI?
The National Payment Corporation of India (NPCI) brought in the Unique Payment Interface or UPI a few years ago so that one doesn’t have to carry the card wherever one goes and tediously and carefully type out the 16-digit number each time a payment is made. But instead of the dynamic and real-time token it sets store by the static email address of the account holder. And one’s bank details including card details are linked to the email address.
In other words, the UPI server does the rest once you share your unique email address as the bank details are dovetailed into your email address. So all that a UPI payer has to remember is his email address which isn’t a big deal.
The risk is if a hacker gets to know the trigger, i.e. the email address, he can systematically work backwards and access all the banking details. This is not possible under the tokenisation regime because a token is generated afresh each time. In short, both token and OTP are dynamic as opposed to static numbers and details that are amenable to hacking and misuse.
Is a token device-specific?
Yes, every smartphone has a unique number and the tokenisation regime takes all the unique features while generating and dispensing a token number. In other words, if the request for a token emanates from a different device, the request would be rejected. In other words, unless the request comes from the card holder through his registered device for payment to a token-compliant establishment or app, the payment cannot be proceeded with.
Is tokenisation compulsory?
No, it is not. In other words, it is for a card holder to decide whether he wants to secure his payments through his mobile or tablet device. The merchant cannot compel him either though he himself might be tokenisation-compliant.