What is Tokenization For Payments?

In layman’s terms, Tokenization for payments is the process of replacing sensitive credit card details with a random set of characters.

The Card number is replaced by a 16-digit token. Moreover, a cryptogram is needed for each transaction and the card token has an expiry date as well. 

The merchant/payment gateway can protect sensitive card data without compromising its security while retaining all relevant information.

This way, the data is safe from hacker breaches or cyber crimes. Unlike encryption, there is no way to reverse-engineer token data to get the actual card number. 
Essentially, tokenization in payments aims to devalue the cardholder data

Why Should Merchants Care?

Broadly, there are 2 ways for businesses to accept payments through cards:

1. Customer enters their card number, CVV and expiry date on payment page, and then authorizes the transaction through OTP
2. You (as a merchant) have already saved their card details. All the customer has to do is select their pre-saved card, enter CVV and then OTP. 
   

As one would guess, the second options lead to more conversions because of lower friction in payment. After all, the customer doesn’t need to remember or enter card details anymore. 

Moreover, saved cards enable the subscription economy. In other words, recurring billing.

Now, saving customer cards requires PCI DSS compliance, apart from other regulations. This in itself, is a time consuming and resource intensive process. 

Here, players like Cashfree Payments come into the picture. They store (well, used to store) your cards in their PCI-compliant vaults. This allows merchants to focus on their primary business instead of dealing with payment compliance hassles. 

But now this process has changed radically. 

As of September 2021, RBI announced that no entity apart from Issuer banks and card networks can save customer card details. 

This is where solutions like Card on File Tokenization (tokenization for payments through saved card) comes into the picture.

Is Tokenization For Payments a New Concept in India?: 2 Types of Tokenization Explained

In 2019, RBI had already approved tokenization for payments in India. However, it was limited to networks providing tokenization solutions for a very specific use: device-based tokenization.

Under this model, card networks like Mastercard, Visa, or American Express carry out tokenization wherein the token is saved on the payment device like mobile, wristbands, PC, etc

For instance, when the customer uses their mobile device to tap and pay using NFC technology. Another example would be transactions through apps like Apple Pay or Google Pay.

In 2021, RBI expanded the tokenization for payments framework to Card on File Transactions (CoFT)

In fact, most major banks have taken the necessary steps to enable tokenization requests across various card networks.

On the other hand, all merchants and payment gateways are preparing their parts of the ecosystem. This will allow them to pass through the card tokens (instead of the card number) while processing payments. 

How Can Businesses Approach Tokenization For Payments?

There are two ways of saving cards on file for merchants:

1) Becoming a Token Requester

Here, you (as a merchant) have to adhere to the compliance and regulation requirements of the card schemes.

You will have to individually work with all major card networks (Mastercard, Visa, Rupay, Amex) to generate, process and store card tokens. 

2) Working with Payment Aggregators/ Payment Gateway

Another (much more convenient) way is for you to work with a payment aggregator (PA) or payment gateway (PG) like Cashfree Payments. 

The PG helps you generate, store and manage the entire lifecycle of the token. 

There there are 3 major guidelines that must be considered:

1. Taking the explicit consent of the customer through AFA (Additional Factor Authentication). This is nothing but the 3D secure OTP-based payment flow. However, the customer consent cannot be forced or pre-selected consent.
2. Customers should have the option to de-register their token on the platform they had previously added their card. 
3. Finally, all merchants and payment gateways have to delete the pre-saved cards on their platforms.

Why Should Merchants Move Quickly?

No matter which route a merchant chooses, it is imperative to move fast and switch to the tokenization framework as soon as possible.

Why do we say that?

Here are 3 major reasons: 

1) Reduce Friction for Customers

We know that once the deadline is passed, customers will need to re-enter their card details and reauthenticate transactions to save cards on sites. All of this hassle (and possible churn) can be eliminated if merchants shift to the new regime of tokenized payments. 

2) Avoid Business Disruption

Saved cards can significantly affect customer retention and lower cart abandonment. After the deadline, merchants will need to delete all saved cards. If they are able to onboard maximum customers to the new regime before the deadline, they can minimize business disruptions.

3) Get More Time To Identify and Solve Issues

Launching an industry-wide regime is bound to come with its own set of issues. 

The faster a merchant moves to the new regime, the quicker they will be able to:

1. Identify any possible issues
2. Find solutions for the same
   

Now, this was the compliance and execution side of things. 

But regulations are made towards an end. 

So what is the real reason behind RBI pushing tokenization for credit card processing?

Why is Tokenization For Payments Necessary? Understanding Cardholder Data Footprint

Now, the question arises: what is the need for tokenization in payments anyway?

Yes, as payment service providers, we want to ensure that we are compliant of RBI regulations..

But is that reason enough? 

More importantly, what are RBI’s motivations behind restricting the number of entities that can store card data?

Well, to understand that, we need to know the concept of cardholder data footprint.

The card transaction is transmitted, processed and/or stored through various machines, segments, and even people. All of these entities come under the scope of ‘Cardholder Data Environment’ or CDE. 

Consider the CDE as a cookie factory. Doesn’t matter if someone is working on mixing the dough, baking the cookies or packaging it- ALL of them have some traces of cookie material in their environment. 

Now, 

1. Any system that touches the card data comes under CDE. 
2. Any entity under the CDE is very desirable to hackers and bad actors. 
   

After all, all the hacker needs is the card number, CVV and expiry date, right?

So, what steps can institutions take to reduce the chances of theft?

1. One way is to create an information security protocol. For instance, PCI DSS
2. Another is to limit the number of entities that come under the Cardholder Data Environment.

Scoping: Identifying Entities Under CDE

Now, here’s one more interesting pointer. 

Cardholder Data Environment does not just include systems that are processing card data.

It also includes any system/ people that connect to CDE, provides security or segmentation or could impact CDE’s security.

This process of identifying the technology or people that could impact the security of cardholder data is known as Scoping. 

Now, the process of Scoping requires a lot of resources. 

More importantly, making people, processes and technologies compliant with PCI DSS is a whole new ballgame.

Moreover, failure to comply can result in very serious consequences like fines, surcharges or even blacklisting. What’s more, card schemes or Acquirers may start imposing higher merchant discount rates after marking you as a ‘high-risk merchant’. 

So, reducing the number of entities that come under CDE makes a lot of sense, doesn’t it?

Using Scoping To Reduce Cardholder Data Footprint: Tokenization As A Solution

By now, we have covered the importance of Scoping. 

Once you have identified the people, processes and technologies that affect the cardholder data security, you can move on to eliminate the ones that can be removed. 

Usually, there are 4 ways to reduce cardholder data footprint:

1. Network Segmentation- Isolating Cardholder Data Environment from the rest of the company. 
2. End to End Encryption- Creating secure communication links between devices or components. This ensures that no intermediate device has exposure to that sensitive information.
3. Outsourcing- Hiring Third-Parties to do the heavy lifting. Nowadays. Most companies choose to outsource their payment processing card issuance etc to third-party players. 
4. Tokenization For Payments – Devaluing card data by replacing it with a random string of characters

Needless to say, we are focusing on the latter two pointers here. 

Given that these are proven to be one of the most effective ways of reducing cardholder data footprint, it is easy to understand why tokenization is important.

How Does Tokenization For Payments Work?

So, how does tokenization work in payments?

Well, the answer would depend on the payment flow. 

1. Is the customer adding in card details for the first time ?: Guest Checkout
2. Is it a returning customer who has a saved card on the site? : Saved Card Transaction
3. Is the payment done through card saved on mobile phone/wearable,  etc.: Device Based Tokenization. 

However, before we move ahead, let’s acquaint ourselves with some of the players involved. 

Players in Payment Tokenization Process

1. Token Requester- The merchant or the payment gateway that initiates the tokenization request for any card
2. Token Service Provider– The Card Network or Issuing Bank that takes the card number and converts it into a token. This token will be a unique combination of the merchant, card number and token requester

Let’s have a look at how tokenization for payments would look like in each of these use cases. 

1) Guest Checkout 

1. The customer selects a product and heads to checkout. They enter their card number, CVV and expiry date.
2. The Token Requester will provision a token request to the ‘Token Service Provider’ or ‘TSP.’
3. The Token Service Provider will generate a card token. 
4. The TSP will share the card token with Token Requester
5. The payment gateway or Token Requester will store the token and map it to the corresponding merchant and customer. The merchant will have access to the last 4 digits of the customer’s card to help with customer identification. This token saved with the PG will be used for all future transactions

2) CoFT Tokenization For Payments

Now, once the card token is created and saved, the token requester will be able to display the last 4 digits of the card number. In addition to this, they can show information like card network or customer’s issuing bank (like SBI, ICICI, etc.)

With this information, customers can identify their saved card and initiate the payment. 

Thereafter, here is how the process for Card on File (CoFT) tokenization for payments pans out:

1. Customer heads to the payment page and selects preferred card
2. The token requester will map that card to the respective token
3. The token requester will seek a cryptogram from the Token Service Provider. Every cryptogram is unique to each transaction. It expires after that transaction or after a period of 24 hours
4. The Token Requester will then use the cryptogram, along with the CVV and card expiry date for processing the payment
5. The customer will enter their OTP for completing the 3D secure authentication (AFA). Once validated, the transaction will be completed

3) Device Based Tokenization For Payments

In the case of device-based tokenization the token is specific to a particular device, like a smartphone or a smartwatch. 

Essentially, it allows customers to make card payments only using that particular device. For instance, the smartphone can be used to make NFC payments at POS or in-app payments through apps like Google Pay

On the other hand, CoFT Tokenization is specific to a merchant, independent of the device.

There are many use-cases when it comes to Device based tokenization. 

To make the explanation easier, we will be taking the example of 

1. NFC-based transaction. Herein the customer is making an in-app payment through the mobile device
2. Let’s assume Google Pay is the merchant/Token Requester in this scenario
   

Now that we have that clear, lets have a look at how device based tokenization works.

1. The customer initiates a payment through Google Pay 
2. Google Pay (the merchant) sends a token request to the token service provider 
3. In case the TSP is a Card Network, they forward this query to the Issuing Bank for Identification and Validation. 
4. Thereafter, the bank verifies the data and gets back to the TSP
5. After validation, the TSP forwards the requests to the Token Vault. The Token Vault will create the token number and map it to Primary Account Number (card’s PAN)
6. The token is then received by the Google Pay through the TSP. It is loaded onto the particular device and this completes the Token Provisioning. 

Now, by this stage the token is already created and stored on the device (a smartphone, in this case)

What does the payment flow look like in this scenario?

1. The customer taps their NFC-enabled phone on the POS machine
2. The token is transferred to the acquirer/payment gateway and then to the Token Service Provider (in this case, the card networks)
3. The TSP uses the Token vault to ‘detokenize’ the Token. Meaning, the Token will be converted to an actual card PAN.
4. The PAN is forwarded to the Issuer, who will authenticate the card number. After validation, the Issuing bank issues a response back to the Token Vault. 
5. The Token Vault re-tokenizes the Token, which is then forwarded back to the TSP> Aggregator> the merchant. 

An important thing to note here is that the customer’s actual PAN number is only shared between the Issuing Bank and the Token Vault (by TSP). 

Related Read: What is softPOS?

Advantages of Tokenization For Payments 

There are a lot of players involved in payment tokenization. 

All are affected differently. 

In this section, we will try to uncover the impact of payment tokenization on merchants like you and your end-customers.

Impact on Customers	Impact on Merchants
Reducing Customer Risk Profile	Enhanced Security and Lower Fraud Rates
More Agency in Managing Saved Cards	Higher Success Rates
User-Friendly	Easy Compliance and Less Liability

Impact of Payment Tokenization on Customers

Reducing Customer Risk Profile: Separating PCI and PII Data

India is one of the fastest-growing payments markets in the world. In fact, it ranks number 1 when it comes to real-time payments. 

Needless to say, its is important to build this system on a high-security and trustworthy ecosystem. 

The primary risk lies here. As of 2022,  India’s payment infrastructure combines the PII data as well as PCI data together in the same database.

Now, in case of any attacks (which are not unlikely given the recent past), the overall risk profile of Indian customers shoots up instantly. 

This new regulation by RBI helps ecosystem players separate the PCI and PII data. Now, merchants can focus solely on their business and customers while Banks and Card Networks safeguard the PCI data. 

Moreover, RBI defines the card token as a unique combination of:

1. The cardholder
2. The customer
3. The merchant
   

In case of a potential breach;

1. The breach will be easily traceable
2. It will be limited to a particular merchant

This ensures that the risk profile of all end customers will be significantly reduced. 

1) More Agency in Managing Saved Cards

Most customers today have saved their cards on multiple websites. In fact, a lot of them might not remember on which sites they have saved their payment details. 

With this new framework, customers can contact their bank’s help center and get a download of the sites where they have saved cards.

In fact, they can choose to delete their saved cards as well. 

This gives the customer high agency and control. Resultantly, this increases customer trust in the payments ecosystem as a whole. 

2) User-Friendly

An important point to note is that most of the heavy lifting is done by payment gateways, card networks or banks. The customer just needs to re-enter and authenticate their card details in order to enjoy the benefits of tokenization. 

Usually, if a customer looses their card, they need to go through a lengthy process. However, if their card token to tied to a lost/stolen phone, the token can be easily re-issued without changing the PAN.

Finally, the customers have to bear no extra cost on switching to the tokenization framework.

Impact of Payment Tokenization on Merchants

1) Enhanced Security and Lower Fraud Rates

The data stored on merchant servers is virtually useless to a fraudster as they can neither derive the actual card number from it nor use it directly for payment processing. 

2) Higher Success Rates

Once the new framework is implemented, the customer will not need to enter CVV for recurring transactions. 

The lack of  CVV checks could increase success rate. In fact, Visa has predicted an increase of 2.2 % in success rate. 

3) Easy Compliance and Less Liability

Merchants like you will no longer need to save cards on their own servers and manage compliance for the same. This reduces their liability when it comes to attacks and hackers.

Moreover, you can tie up with payment gateways for leveraging their tokenization solution. These solutions are ready-made offerings that allows you to accept card payments without the hassle of becoming a token requester yourself.

How Can We Adapt to Tokenization Challenges?

Needless to say, the impact of RBI’s new guidelines is far-reaching. 

Moving from card on file data to tokenized data will be a big step for merchants, banks, PAs, and card networks. 

While most players in the ecosystem have prepared themselves for the upcoming deadline, there are still some doubts that remain. 

We know that merchants will not be able to store card data. However, this leads to a lot of doubts around card payment-related flows. 

Some examples are

1. Refunds
2. Chargebacks
3. Facilities like EMI
4. BIN-based offer at checkouts
   

These processes are dependent on the card data. For instance, the card data reveals the name issuer, card type (credit/debit), card network, etc, which actually makes card offers possible. 

In the last few months, the ecosystem players have been reworking all of these processes to work without the card details. Here are a few instances. 

Persisting Issues and Doubts	Solution Provided By Ecosystem Players
Instant Refunds (payouts to cards) will not be possible without card data	Interim solution is to go back to the old system of transaction reversal which works on the transaction ID This process is independent of the card data.
BIN-based offers (discounts offerings on specific cards) are not possible	Token-BIN mapping solution is now being provided by card networks.
EMI transactions: Earlier files with card numbers were shared with banks. This allowed banks to convert a given card transaction to EMIs.	Banks are trying to move to a new format that includes other identifying information instead of card numbers. For instance, transaction ID

Cashfree Payments’ Token Vault: Your One-Stop Payment Tokenization Solution

Cashfree Payments’ Tokenization solution helps you save your customers’ cards on your website or app and process card payments securely while being RBI compliant.

In fact, Cashfree Payments is the only players that offers interoperability feature within tokenization in payment gateway. 

This means that merchants using multiple payment gateways can get those saved card transactions processed through any gateway or card processor– given that they have integrated with Cashfree Token Vault.

Apart from that Cashfree Payments’ Token Vault solution offer real value to merchants as:

1) Offers Friction- Free Payment Acceptance

• Save cards of all card networks like RuPay, Mastercard, Visa, Amex and Diners Club with no additional efforts
• One-stop solution: Tokenize cards and accept payments all through Cashfree Payments

2) Stay RBI Compliant and Fret-Free

Cashfree Payments is a fully certified and compliant Token requestor. 

We do all the compliance heavy-lifting for you- so you don’t have to!

3) Extremely Merchant Friendly

• Easy Onboarding and full-digitized KYC procedure
• Single Integration for connecting your platform with Token Vault and Payment Processor
• No code integration available for existing merchants using Standard Checkout flow
• Minimal integration changes required for seamless checkout flow merchant

4) Faster Checkout with 30% Higher Transaction Success Rates

Cashfree Payments uses dynamic routing to ensure you have the highest success rate. Offer the fastest and hassle-free payment experience to your customers

How Does Payment Gateway Tokenization Work? Detailing Integration Types

If you are a merchant working with Cashfree, you just need to integrate with one single API to:

1. Tokenize your saved cards
2. Process payments (through cards or otherwise)
   

Now, there are 3 major ways you can go about integrating with Cashfree Payments and leveraging payment gateway tokenization. 

No-Code Integration for Standard Checkout Merchants

This integration is for merchants that are looking for a faster go-to-market and minimal tech team dependency. 

Here, the customer is redirected to a payment page hosted by Cashfree Payments.

Existing Standard Checkout merchants can go live with tokenization for payments with zero effort. The Token Vault will be auto-enabled on the checkout page.

Minimal Integration For Seamless Checkout Flow

Seamless Checkout flow is suited for merchants that want to provide an end-to-end branded shopping experience to customers. 

Here the customer remains on the merchant’s site during the payment process and is not erected to any other page. 

Existing Seamless Checkout merchants can integrate with Token Vault with minimal changes to their APIs. This integration will require maximum of 2 weeks to kickstart tokenization based payments

Important Note: These integrations work for tokenization for mobile payment as well as website payments

Integration for PG and Card Network Interoperability

Cashfree Payments is the only payment gateway that offers the tokenization solution with the interoperability feature. 

This allows merchants to use Cashfree Token Vault and process the payment with any payment gateway or card network. 

We offer the support to build the API calls between payment gateways present in your stack and the Token Vault. This will allow you to tokenize the cards and route transactions as per your business need.

17 FAQs About Tokenization For Payments

Can a card token be saved without a successful transaction?

No. 

One of the 3 parameters of provisioning a card token is customer approval through 3D secure OTP authentication. Without the same, a token cannot be provisioned by the merchant nor saved.

Will all card schemes be a part of Cashfree Payments’ Token Vault?

As of now, we are operable with MasterCard, Visa and Rupay.

However, it will be built for other schemes in the near future. 

How does card token expiry work?

The Token Expiry feature is set as a provision to lower the risk profile of the customer. 

For instance, a token card for Mastercard will have a duration of 3 years. Post expiry, customers will need to re-authenticate a transaction through OTP. 

However, most major card schemes are coming up with lifecycle management systems. Herein, the token will be updated automatically if the customer is willing to continue with the saved cards. 

Is the ecosystem ready for tokenization for payments?

We have seen RBI pushing the deadline for Tokenization time and again. The latest guideline mentioned that the deadline is 30 September 2022.

From an ecosystem perspective, experts believe that friction is bound to happen. Some Issuer may not be ready to comply with the new framework. 

There may be delays from the customer’s standpoint as well. The merchant cannot provision the card token without OTP authentication.

Moreover, the processors themselves may not be ready to accept a network-generated token.

How does this new framework on tokenization for payments affect early-age startups?

Usually, most early-age startups are not PCI-compliant. 

In such a situation, they will need to tie up with an aggregator which can help them provision, store and process card tokens.

From an API perspective, only minimal to no changes are required. However, they do need to make some front-end changes to accept customers’ approval to store card tokens.

Can the same tokenized card be used by multiple aggregators?

Yes, the generated token can be used by multiple aggregators across the network.

However, each token needs to be accompanied by the cryptogam which is unique to every transaction. 

Consider the Cryptogram as a dynamic CVV. Till now, customers needed to enter their CVV and OTP for transactions. 

Once tokenization is implemented, the customer just needs to click on the card. The card networks will provide the cryptogram (just like a dynamic CVV) on behalf of the customer. 

If a merchant is PCI/DSS compliant and was saving cards on their own server how can they meet RBI’s compliance requirement?

Merchants who were saving the card number on their own servers, will also now have to either integrate with individual card schemes and become a token requestor themselves or integrate with Cashfree’s TMS where Cashfree will be a token requestor on merchant’s behalf.

What all card details can the merchant save once with tokenization in place?

Merchants are allowed to store only the last 4 digits of the actual card number. They cannot store card bin, card expiry or CVV. 

Can a merchant retrieve the actual card number using the card network token?

No, merchants will not be able to get the actual card number back from the tokenized cards. Only schemes and issuing banks will be able to do so.

Does a merchant need to re-provision the already saved cards on another PA/PG if they wish to shift from one PA (say, Cashfree) to another PA/PG?

Yes, the token reference number of tokens provisioned through Cashfree will be saved with Cashfree only. However, merchants can fetch the card network tokens from Cashfree and use them for payment on any other PA/PG. It is not possible to migrate cards provisioned through Cashfree on another PG

Does tokenization for payments affect any other payment mode other than cards? Which all card transactions are affected?

No, tokenization is limited only for card payments. All card payments like credit, debit, prepaid and corporate credit cards are impacted

Is the merchant allowed to store card BIN?

No, neither merchants nor Cashfree can store card BIN. Token bins will be introduced instead

Is the merchant allowed to store card bin metadata?

RBI has not clarified on this yet. Schemes are still checking it with RBI.

Is there any impact of tokenization on the card payments where the customer enters complete card number?

No, there is no impact as such on card payments where the customer enters the complete card number details. Only in those cases where merchants or PA/PGs were saving cards will be affected.

Is the token visible to the cardholder?

No, the token is only managed between token requester and Token service provider (bank or card network)

Can customers save more than one card on a site? Is it possible for customers to set transaction limits?

Yes to both. The customer can save as many cards as preferred and can set transaction limit on them as well. 

Is tokenization in payment processing different from encryption?

Yes, encryption and tokenization are two different concepts.

In encryption a cypher key is used to temporarily alter data and render it unreadable. however, with the decryption key, the sensitive data can be unlocked.

On the other hand, in tokenization, the data is completely removed from the organization’s internal and replaced with a randomly generated placeholder.