As of Dec 23 2021, the deadline for purging of card data on payment aggregator and merchant platforms has been extended by six months to June 30 2022, by the RBI. While this provides the ecosystem more time to move customers to an alternate model of handling transactions, it also offers more solutions time to handle multiple use cases such as recurring e-mandates, EMI transactions and the ability to conclude thorough testing for post-transaction activities such as chargebacks, rewards and loyalty program that involve accessing card numbers.
RBI recently published a mandate that Merchants, Payment Gateways(PGs) and Payment Aggregators(PAs), effective Jan 1 2022, can no longer store card data in its systems. However, RBI has allowed authorised card networks to offer ‘tokenization functionality’, which can still support a saved card payment experience for the cardholders. From the consumers’ point of view, this move will help enhance card transaction security and help reduce data breaches, but there will be some crucial changes in the ecosystem from the merchant’s point of view. The merchants that currently use saved card payments for faster and easier checkouts need to partner with card networks directly or leverage Token Requester’s to ensure that their business with existing and future customers, effective Jan 1, 2022, remains hassle-free.
This blog provides a brief understanding of the Card on File Tokenization (CoF) solution and its effect on the customers, merchants, and the chain of enablers involved in the tokenization system. It also provides details on the ‘Plural Tokenizer’, an in-house product designed by Pine Labs to equip the stakeholders in the ecosystem in a seamless process through this transition towards tokenization.
What is Card on File (CoF) tokenization
Card on File Tokenization is a mechanism that converts the sensitive card details into a form of a ‘Token’ that is not linked to any device per se but in a pseudo format mapped between a merchant, the actual saved card and token requester only. This tokenized credential is then used across the customer’s account with the merchant. It can be used at any merchant’s platforms (Web, Mobile Web, Android, IOS apps) for repeated card transactions. Thus, this eliminates the need for merchants, PGs, and PAs to store sensitive card data and not pass the actual card number through various entities in a card transaction as per RBI’s directive.
It’s interesting how RBI prioritises ‘customer consent’ in their current guidelines for tokenization of a card which now along with Additional Factor of Authentication (AFA) with the validation by the card issuer. However, suppose card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT. In that case, AFA validation can be combined with customers’ consent, e.g. customers buying food from Zomato and providing the consent at the transaction time.
Impact of tokenization on merchants and consumers
Impact on merchants
In the initial period, ‘Tokenization’ might significantly disrupt the existing merchants’ platform since it needs to develop a system that supports tokenized transactions (PCI-DSS merchants only). However, their functionality will remain unchanged for small merchants (redirect model).
But the fact is that the entire mechanism of ‘tokenization’ will benefit online businesses/merchants in various ways in the long run:-
- It removes the need for card-related sensitive information within the merchant’s internal systems or application
- It reduces the risk of fraud attacks, security breaches and data theft which causes a significant increase in chargebacks of the merchant
- Overall, tokens strengthen data security and reduce phishing attacks.
Impact on consumers
First / registration transaction (Card to token creation)
The impact on the customers’ overall experience due to RBI’s new guidelines is negligible. The customer needs to provide consent to enrol the card for a saved card functionality (the merchant supports tokenization).
Apart from the ‘consent’ part, the customer experience doesn’t change. It flows as a regular BAU transaction where the customer needs to enter the OTP and complete it.
Repeat transaction (token-based transaction)
Once the card is tokenized, until the end of the overall journey for the customer doesn’t change. The only change on the checkout screen that the customer might observe is having the last four digits of the card displayed, and the BIN (first six digits) is not.
For a customer, tokenization ensures that their card details are less likely to get hacked or become a victim of a phishing attack on the mobile phone or desktop. Even if the data gets hacked from the merchant’s end or the fraudster gets unnecessary access to the token, it’s impossible to fetch the actual card number from the respective card network. This method also instils a trust and validation component among the customers before the transaction with the merchant. It is a beneficial move towards a shift from cash to digital for the long run.
Stakeholders in the tokenization ecosystem
The below-mentioned section describes the stakeholders involved in e-commerce card-on-file tokenization and how the regulation impacts them.
Token requestors (TRs) request payment tokens for end-users, e.g., payment aggregators, digital wallet providers, merchants, and Internet of Things (IoT) manufacturers. Direct merchants are card-on-file (COF) merchants that integrate directly with network token systems as TRs. When the direct merchants interact with Network Token Service to enrol for tokens for relevant cards, they receive unique tokens for PANs from networks and use these tokens on file to conduct transactions similar to card-on-file transactions. Post the current regulation; the direct merchants must take appropriate steps to support the token fields (cryptogram, token, ECI, etc.). The direct token requestors must comply with the required audit and periodic regulatory requirements to support the new guideline.
Acquirers and Acquirer Processors
There would not be many changes in their functionality for acquirers due to the current regulation. They will tend to process the token transactions the same way they process card-based transactions in current times. However, acquirers may need to support additional data included in tokenised transactions, such as TAVV cryptograms for e-commerce–based token transactions.
Issuers who mainly maintain their current role of owning the cardholder relationship and provide authorisation and ongoing risk management responsibilities. Issuers need to develop specific mechanisms to process and support network tokenization. Once they are certified and enabled for Network token service automatically, they can participate in e-commerce tokenization.
Card payment networks
While different payment processors have come up or coming up to facilitate online payments — as per the recent RBI notification about the tokenization of card transactions, authorised card networks are permitted to offer card tokenization services subject to various conditions as per the RBI notification. But what card networks need to ensure is a proper transaction request originated from identified merchants only and are further accountable for monitoring the system for any malfunction or suspicious behaviour. But before offering these services, the authorised card networks need to have a periodic system (at least annually), including security audit from CERT-In, of all entities involved.
Various use-cases of tokenization applicable for online businesses
Token credentials can be enabled based on a device or a customer’s account. Broadly two use-cases are applicable here:
Device-based tokens:- Device-based tokens are bound with the card and the device and the card networks generate the token. E.g. A customer with an HDFC credit card gets it enrolled for a token on his mobile’s Amazon app. In this example, the customer can transact on the Amazon app using his mobile phone only. The current use cases prevalent in the market ‘device based tokens’ is used by digital wallet providers like GPay in India for merchants to implement ‘device-based tokens’, a certified Software Development Kit (SDK) provided by card networks or an approved 3rd party Token Requestor is required.
Account-based tokens / Card on File tokens:- Account-based tokens are like saved cards on a specific merchant app. The customer needs to log in on the merchant’s app/web platform to continue with the transaction and be interoperable and used across devices.
Plural’s role in the tokenization ecosystem — Plural Tokenizer
The solution ensures merchants and their customers can seamlessly enable card tokenization and process payments without hassle.
Adding on to the current discourse around tokenization in the market, Plural Tokenizer is a revolutionary product designed by Pine Labs that seamlessly connects with card networks (Visa, Mastercard, RuPay etc.) and provides a solution to merchants to continue offering saved card experiences to its ends customers through ‘Plural Tokenizer’. The online platform merchants can leverage the Plural token vault to offer a flawless experience to the cardholders and improve payment success rates through this mechanism. Plural Tokenizer is a certified token requestor platform accessible with all leading card networks where merchants can integrate to mint tokens using Plural Tokenizer. The sensitive card data is secured in the network’s vault. A reference to the token number –the Plural token reference ID (every network provides a unique reference parameter to each token minted) is shared with the merchant. The merchant can use the Plural token reference ID to fetch the full token PAN and transaction-specific cryptogram in real-time to process a tokenized card transaction.
And while minting tokens, this product offers various integration modes and process the payment via any other PA / PG or using Plural Gateway hence providing complete flexibility to the merchant. The Plural Tokenizer will also continue to support and process EMI, offers such as cashback and discounts etc., like it used to do in the past.
“The launch of Plural Tokenizer is our endeavour to make the payment transaction experience more secure for the end-user, i.e., our merchant’s customers. Today, the Plural is the only omnichannel platform in India to manage tokens across offline and online payment experiences. For merchants aiming to deliver a consistent user experience and higher transaction approval rates with speed and security as foremost considerations, there is a no better available option than Plural,” said Tanya Naik — Head of Online Business at Pine Labs.
You can reach out to firstname.lastname@example.org to learn more about Plural Tokenizer.