Our take on impact of RBI’s tokenization guidelines

RBI has come up with new guidelines for card processing firms and others who deal with card details to follow the tokenization norms.

The tokenization of card transactions is not new and has already been a norm in the card payments industry in many international markets.

What is Card Tokenization?

Tokenization is a term which is commonly used in many industries. For the cards industry, it means replacing the sensitive card number with a unique series of characters (commonly referred to as a token).

For example, a card number like 4242 4512 1234 4120 will be replaced by some unique series of characters generated by the card network (MasterCard, Visa, Rupay, etc.).

When Tokenization Comes into the Play…

A lot of websites today ask customers to save card information. This is for faster checkout and also reduces chances of transaction failure due to incorrect payment details.

So far, any business that was storing card details for future transactions had to be PCI compliant which is challenging for many small businesses.

With the new changes, most of the websites will be able to save card token instead of exact card details hence may not need to be PCI compliant.


Opportunities as Tokenization Becomes the Norm

Consumers are rapidly switching to non-cash payment methods aka digital payment modes.

Without exposing the consumer’s account to fraud, tokenization enables frictionless and secure payments in different environments-online, in-store and in-app.

While the primary aim of tokenization of cards is enhancing security it also makes way for innovative developments giving opportunities to businesses accepting digital payments and other payment industry players.

A. Boost to QR Code Transactions

QR code transactions are easy and are quickly picking up. Right now only UPI based apps are supporting QR Code payments.

With Tokenization, as card networks start to provide the service of converting card details to the token, maintaining an infrastructure for secure transactions will be easier and Apps like GooglePay may introduce QR Code payment via cards as well.

Further building payment feature similar to Bharat QR m-visa similar apps will be easier since PCI compliance may not be required anymore. Such Apps will enable users to connect their cards and pay directly by scanning the QR code displayed at the offline store, making card payment faster and easier while still being secure. Same could also be used for online checkouts by scanning QR code.


B. Recurring payments

There has been an expectation that RBI will enable recurring payments in India. Recurring payments refer to amount getting auto-deducted from your linked card or bank account as per the already agreed terms.

While recurring payments are enabled on credit cards, credit cards themselves have a very small penetration in India.

With UPI 2.0 also not enabling recurring payments, it could be believed that RBI will eventually allow recurring payments on debit cards as well. Tokenization could be a step in that direction. Although NPCI is separately building out a platform for recurring payments over net banking and debit cards.

C. ApplePay and other global payment solutions

Payment modes available outside India like ApplePay, Android Pay work with tokenization. These payment modes use their proprietary algorithms to generate tokens from your card information.


Source: https://www.apple.com/apple-pay/

Once the Indian payments ecosystem adopts tokenization as the minimum standard, it would become more lucrative for these tech firms to bring their technology to the Indian consumers.

D. Making way for newer technologies like NFC

The robustness of technology is tested via its ability to integrate with existing technologies. Tokenization seamlessly integrates NFC (Near Field Communication), for contactless payment technology.

One of the examples of NFC payment solution is Pockets by ICICI bank. This involves tapping your smartphone at an NFC (Near Field Communication) enabled merchant terminal and making the payment through your linked Card.

With card details being tokenized, we can expect more innovate NFC mobile apps for payments.

Can a token be stolen?

Everything can be stolen, even your Aadhar details. Same applies to a card token. However, the stolen token will not impact the saved card details or the unrelated tokens generated for transactions on other merchant websites. Hence limiting the severity of any data breach and also making it uneconomical for hackers.


While the RBI has come up with guidelines around tokenization, it would be interesting to see how the payments industry works around it. India hasn’t really seen many payment information breaches (card details), unlike other nations. Tokenization can be a double-edged sword that can make merchants less compliant with PCI norms and could also lead to lower security standards within the industry.

But, hopefully, we will see new unique opportunities being presented with this change.