Relevance: GS-3: Indian Economy and issues relating to planning, mobilization of resources, growth, and development.

Key Phrases: Tokenisation, Credit and Debit card, Merchants, Cyber attacks, Internal security, Recurring payments, Infrastructure, Banking system.

Why in News?

• RBI curbs data theft by initiation of tokenisation initiative which comes into force in July.

Context:

• From July, when a customer make online payments through credit card (or debit cards), it will be mandatory to enter your card details in full i.e. your card number, CVV and authenticate with OTP. But if customer doesn’t want to go through this hassle each time, he can opt to create a token. The process is called card-on-file tokenisation (CoFT).

Facts

• From July 1, tokenisation would come into force.
• In fact, it was proposed in May 2020 and a deadline of December 31, 2021, was first set for its adoption.
• After strong representations from card issuers and merchants, the RBI extended the deadline to June 30, 2022.
• But even now, for auto debits or recurring payment through credit cards, merchants cannot store the card details. This came into force on January 1, 2022. So, OTT subscriptions must be renewed every month by punching in card details.

Difference between tokenisation and encryption

• Many individuals consider tokenisation as a synonym for data encryption, which is not true. Although both the processes may seem to work on ensuring data security, there are finer differences between the two.

  Encryption	Tokenisation
  Used to transform plain text into cipher text mathematically using an encryption algorithm Used for structured and unstructured data fields Easy to scale to large data volumes using a small encryption key Comes with a tradeoff of lower strength with the format-preserving encryption schemes Make the original data leaves the organization but in encrypted format	Used to generate a random token value for plain text and then stores the mapping in a database Used for structured data fields, like card details Difficulty may arise to scale securely as database size increases  Easy to maintain format without losing strength of data security Does not require the original data to leave the organization, which satisfies various compliance requirements

How does this work?

• When a person enter the card details to process the payment, the payment gateway will check with him if he wants to create a token. If yes, it would forward the request to the card network – Visa, MasterCard, Rupay, Amex or Diner’s Club. However, it is only the bank that has issued the card that can authorise the token. The card issuer, upon verification of the user’s credentials, will allow the token to be issued and the card network issues the token. This is shared with the user. Every token is unique to the payment gateway or the merchant, card network and the card.
• A user can create multiple tokens using a card and the usage limit applicable for the card will remain the same despite having various tokens. Therefore, if a person has stored his card details across five merchants – say for ordering food, online shopping, booking movie tickets, OTT platforms and paying for utilities, he has the convenience of generating 5–6 tokens for each app.
• If a person is unsubscribing from an app, he can contact the card issuer to cancel the token, and this is called de-tokenization.

Advantages of Tokenization:

• Helps to build trust with customers by providing security to customers.
• Tokenization ensures the correct formatting and transmission of data, making it significantly less vulnerable to cyber attacks and payment fraud. This helps to keep online transactions secure for both customers and businesses, fostering trust and a good reputation in the long run.
• Improved internal security: Another one is improved internal security. Because the token is practically unreadable by anyone except for the payment processor, companies ensure both external and internal protection, including employees or other people connected to their business.
• Allows for recurring payments:Itallows businesses to accept recurring payments and other payment options in a safe environment, simplifying the subscription-based processes.In fact, tokenization is a game-changer when it comes to secure recurring payments.
• Prevents costly penalties and revenue loss.

Disadvantages of Tokenization:

• The most secure implementations require that the original card number be presented for tokenization. This means that the tokenization solution must have a way to protect the original cardholder data before it is tokenized. Furthermore, the centralized token vault in which the original payment card data is stored becomes an attractive target for criminals.
• Another issue is related to infrastructure. Tokens must be created for each merchant and card account. When a transaction flows through the Merchant and Acquirer processing systems, these account tokens must be de-tokenized so that the Issuer can approve the transaction for a known card account. Transaction settlement messages must be tokenized for Merchant and Acquirer systems.
• This requires a new infrastructure of trusted third parties in the transaction flow to tokenize and de-tokenize card accounts in these transactions. While this is not seen as a huge technological hurdle to overcome, it likely will add cost to the transaction fees for these third-party services.
• Other issues highlighted by the expert are the potentially negative impact on the speed of transactions.

Way Forward:

• Since the law on data protection in India still remains in a nascent stage, the RBI’s tokenisation measures for data security are essential to safeguard the sensitive data of consumers. However, for a smooth functioning tokenisation infrastructure, multiple players in the banking system would need to collaborate with one another, which may pose certain challenges.

Source: The Hindu BL

Mains Question:

Q. What is the tokenisation system in digital payment? What are the advantages and disadvantages of tokenisation system? (250 works).