Card Tokenisation: Plugging Personal Information Leaks

Plastic money still captures a large portion of the market share despite the growing use of the Unified Payment Interface (UPI).  Recent data released by the Reserve Bank of India (RBI) indicates that there has been an increase of 16.3% year after year in the usage of debit and credit cards by Indian consumers in the last decade.

Nevertheless, this decade marked a shift to digital technology, augmented by governmental decisions and policies such as demonetisation, the introduction of UPI, and Digital India program, etc. that enabled Indian consumers to make a smooth shift to online payment solutions. The pandemic has also played a big role in this revolution. With face-to-face interaction minimized, the focus on digital products and payments skyrocketed.

Digital transactions are now considered the most sought-after payment mechanism in comparison to hard cash or currency for availing services and goods. As the number of transactions made through a mobile application or platform increases, customers usually prefer to save their card information on the merchant’s site or platform. Information saved on these sites and platforms is critical financial data of consumers and is considered sensitive personal data. The risk of misuse of such sensitive financial data by hackers or fraudsters looms over every individual, and cases of such misuse have garnered the attention of the authorities.

The RBI, through its notification dated 17th March 2020 had made it mandatory for payment aggregators to disable the storage of customer card credentials within the database or server of the company. Though a fixed date for implementation of this rule was not decided, RBI later issued notifications directing merchants to comply with this recommendation of not storing card data by 31st December 2021. Since then, the RBI has been extending the timeline for implementing tokenisation and as of today, the RBI has instructed all parties to delete the card information before 1st October 2022.

Card tokenisation is a process by which sensitive data of the cardholder is removed from the sites/platforms and replaced with randomly generated numbers and letters from the company’s internal network called tokens.


History


The groundwork for regulating this space of online payment and ensuring the safety of cardholders has been in line for a couple of years. As India is yet to formulate a dedicated data protection bill, the safety of a cardholder’s sensitive personal data stored on the merchant’s website was one of the major concerns of cardholders as well as the regulators. Moreover, the increase in data theft and leakage of debit and credit card details of cardholders did not really help in containing the concerns of the stakeholders.

In January 2019, the RBI released a notification whereby it permitted card networks to tokenise. This choice of tokenisation was made optional for the customers, and the permission was extended to all use cases like QR code-based payments, NFC, etc. However, such services could only be offered through mobile phones and tablets, and no other devices were permitted to offer such a facility at that time.

RBI later released the guidelines on the Regulation of Payment Aggregators and Payment Gateways, which made it mandatory for a payment gateway to not store customer card credentials within the database or on the server accessed by the merchant, with effect from 30th June 2021. This move reiterated the importance of safeguarding customer card details and the focus once again shifted to the introduction of a tokenisation scheme. Though the guidelines did not mention specifically tokenisation, they did find mention in the subsequent notification released by the RBI on Payment Aggregators and Payment Gateways on March 31, 2021. The guidelines called upon payment system providers to put in place workable solutions such as tokenisation to safeguard the interests of the cardholder.  In order to eliminate any ambiguity in the definition of ‘payment aggregators’ as defined in the Payment Aggregators Guidelines, the RBI explicitly stated that the Payment Aggregators Guidelines applied to e-commerce marketplaces that engaged in direct payment aggregation, and to that extent, e-commerce online markets that used the services of a payment aggregator were to be regarded as merchants.

The RBI further released a notification in August 2021 amending the 2019 notification by extending the scope of permitted devices that could use tokenisation. The present framework for tokenisation was extended to include consumer devices such as laptops, IOT devices, wearable devices, etc. A subsequent notification issued in September 2021 further allowed card-on files tokenisation. This notification permitted card issuers to offer the services of tokenisation as Token Service Providers (TSPs). The TSPs were permitted to tokenise only those cards that were affiliated with or issued by them. The notification also emphasised that no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data from 1st January 2022. Entities were only allowed to store limited data, like the last four digits of the actual card number and the card issuer’s name, for compliance and tracking purposes.

The earlier notification of removing all card details of customers with effect from 30th June 2021 was again extended to 31st December 2021 in view of the huge compliance hassle. This was again extended until 30th June 2022 and finally, the government set the latest deadline on 1st October 2022.


Functioning of Tokens


An e-commerce website, mobile application, or any merchant site for that matter, offers different payment methods to its consumers, which may range from cash to debit/credit card payment to UPI. When it comes to the authentication of the debit or credit card used by the consumer, the entire responsibility for authenticating the same vests is with the Payment Gateway service provider. The e-commerce platform or websites merely act as an intermediary to facilitate the trade and it is the responsibility of the Payment Gateway service provider to provide the technology to these platforms and websites that authenticates the card details. This process of authentication done by the Payment Gateway service provider is known as 2FA i.e., two-factor authentication. The process of authentication involves the registered bank of the customer sending a Time Password (OTP) to the registered phone number of the consumer to close the transaction. The OTP is the key that helps authenticate that the customer is the rightful owner of the card. Upon entering the correct OTP, the Payment Gateway service provider authenticates it and completes the transaction.

In general, a merchant website or an online portal is only allowed to store details like the cardholder’s name, the 16-digit number on the front of the card, the expiration date of the card and the service code, which is located within the magnetic stripe of the card. On the other hand, these portals and sites are strictly prohibited from storing information such as full magnetic stripe information, PIN, PIN Block and CVV/CVC number of the card.

After the guidelines kicked in on October 1, all the card details of individuals stored on the merchant’s website were automatically erased. All information concerning the cardholder, like the expiry date, PAN, etc., is replaced by the token. This token is a one-time alphanumeric number that has no connection with the cardholder’s account. Unlike the previous system, these tokens so generated do not contain any sensitive personal data of the cardholder.

An individual can tokenise his/her card in the following ways:

  1. The individual will have to visit the preferred merchant’s website for the purchase of any goods or services.
  2. The website will then direct the individual to the preferred payment option, and the individual will be able to enter his/her card details and initiate the transaction.
  3. The website will also contain another option called “secure your card as per RBI guidelines,” which basically generates tokens for the card.
  4. As soon as the individual opts for that option, a One-time Password (OTP) will be generated and sent via SMS or email to the individual.
  5. With the OTP being entered, card details are sent to the bank for tokenisation, which is then sent back to the merchant for storing the same for the purpose of customer identification.

The token so generated from one merchant website will not be applicable to every other merchant website. The cardholder will have to create separate tokens for each merchant website, and the use of the same token will not help in initiating the transaction.


Benefits of Tokenisation


Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.

Tokenisation helps reduce data theft and leaks, as the tokens are in no way connected to an individual’s personal information. Moreover, the process of replacing sensitive personal information with tokens helps build trust and confidence among consumers.


Effects of these Regulations on the Industry


The RBI is striving to organize payment aggregators by bringing non-banking payment aggregators under its regulation. The RBI’s main goal in introducing these guidelines is to reduce fraud and protect customers’ interests. Placing the burden on payment aggregators to ensure that merchants are genuine and have no malicious intent will go a long way towards removing dishonest merchants from the market and safeguarding customers’ interests.

Payment Aggregators are instructed to credit reimbursements to the primary payment source rather than the e-wallet account. Previously, refunds were credited to an e-wallet, posing a challenge for consumers to utilize the monies somewhere else.

Although the RBI has reduced the required net worth from INR 100 crores to INR 25 crores, it will not be sufficient for small-sized entities (including start-ups) seeking to enter the industry. Many existing players will be forced to exit the market if they fail to meet the net worth requirements. Moreover, small businesses operating as payment aggregators would find it difficult to implement the required baseline technology suggestions owing to the high implementation costs. This will result in the removal of market competition, leading to an oligopoly, which would harm merchants’ interests in the long term.

It can be stated that these guidelines represent an important advancement in the Indian fintech industry and assure that customers’ overall interests are secured.

Conclusion

With the current atmosphere where there is intense scrutiny over an individual’s personal information, the scheme of tokenisation is a breath of relief for a lot of privacy enthusiasts and the public in general.

Image Credits: Photo by energepic.com

Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.

Related Posts

POST A COMMENT

Impact of India's Proposed Central Bank Digital Currency (CBDC)

Numerous signals have been emanating from the government and the RBI in the past several months to indicate the imminent launch of India’s Central Bank Digital Currency (CBDC). This includes the announcement last month that the Cryptocurrency and Official Digital Currency Bill, 2021 will be tabled for discussion in the ongoing session of the Indian parliament.

What is a CBDC?

In simple terms, it is the digital version of legal tender issued by a sovereign central bank. In terms of value, it is the same as the country’s fiat currency and is exchangeable with physical currency on demand. Thus, India’s CBDC will be denominated in Rupees. Like physical currency notes/coins, CBDC can be used by individuals and businesses as a store of value and to make payments for purchasing goods/services.

 

Why does India need a CBDC?

There are many reasons why countries will need their own CBDC systems. In India, interbank transactions and settlements already take place through the reserves individual banks maintain with the RBI, so there may not be much impact in this arena. However, in the retail segment, a bulk of the transactions still rely on physical cash and increasingly, on digital payment solutions. It is important to recognize that payment solutions such as those from Google, Amazon, Apple, or Paytm and Phonepe are all privately-owned and controlled; as such, their growing popularity does pose a risk to the country’s financial system.

For example, it is estimated that 94% of mobile payment transactions in China are processed on transactions owned by Alibaba or Tencent. As the companies behind these apps start to build “ecosystems”, more and more goods and services can be paid for through these apps. Such integration and breadth of usage can easily create a virtual stranglehold that has the potential to place at risk the entire financial system of a country; there could even be regional or global ripples. The launch of a CBDC is thus not just a digital payment system, but also a mechanism towards mitigation of major risks that are associated with an increasingly digital world.

Currently, all payment solutions in India, whether developed and deployed by fintech players, Big Tech or banks, run on the Unified Payments Interface (UPI) infrastructure built and managed by the National Payments Corporation of India (NPCI), which is jointly promoted by the RBI and the Indian Banks’ Association (IBA). That India’s payments backbone has never been in private hands reduces the level of risk to our financial system. Also, it must also be acknowledged that the NPCI has done a fabulous job so far. The month of October 2021 alone saw more than 4.2 billion transactions being processed through NPCI infrastructure. But it is important to keep in mind that the payment apps owned and managed by fintech and Big Tech companies are not under the direct regulatory supervision of the RBI because they are not licensed banks. A CBDC-based ecosystem will make the regulation of such apps and platforms easier and more effective- thus enabling a higher degree of consumer protection. 

There are other reasons too why an Indian CBDC will become a necessity sooner rather than later. Countries like China are already at an advanced stage of launching their versions of CBDC. Given global cross-border trade and investment flows and repatriation of funds by Indian diaspora overseas and tourist travel, it is only a matter of time before Chinese or other CBDC enter the Indian financial system. And as more countries launch their own CBDC, it is imperative that we have our own, so that we can negotiate from a position of experience (and strength) when it comes to agreeing on multilateral CBDC protocols.

A well-designed CBDC system reduces the threat of counterfeit currency- something that our adversaries have used over many decades to weaken our economy. Arguably, CBDC can also play an important role in the nation’s fight against corruption and black money- although much will depend on how it evolves and the operational rules and regulatory framework governing it.

 

CBDC: The Road Ahead

At this time, it is unclear when and how the government will choose to launch India’s CBDC. But it is fair to say that an entirely new digital currency ecosystem will be needed. It is likely that the RBI itself will cause to design, develop and run the CBDC infrastructure. There are also speculations that they would be regulated as financial assets by the Securities & Exchange Board of India (SEBI). Big Tech, fintech and banks will need to link their apps to this new infrastructure as well- assuming that over time, individuals will retain the option to pay via physical currency-backed UPI platforms or their CBDC cousins.

Since no regulator can compete with those it is tasked with regulating, the RBI may have to let financial intermediaries continue to take responsibility for the distribution of digital currency via e-wallets or other pre-paid digital instruments and similar solutions. This also means that fintech players, BigTech and retail banks will need to evolve their platforms and come up with innovative offerings to ride this new wave of opportunity. The road ahead will have its own challenges at both the policy and operational levels. The success of CBDC will also depend on how quickly internet access expands across the country and how resistant to hacking and breaches the underlying systems are.

Fasten your seatbelts and prepare for an interesting ride at the end of which, digital currency could be the crowned king. 

 

Image Credits:  Photo by Alesia Kozik from Pexels

At this time, it is unclear when and how the RBI will choose to launch India’s CBDC. But it is fair to say that an entirely new digital currency ecosystem will be needed. It is likely that the RBI itself will cause to design, develop and run the CBDC infrastructure

Related Posts

POST A COMMENT

Strong Tailwinds for India’s Technology Sector Entrepreneurs and Startups

Venture Capital (VC) investments in Indian startups in the period January – July 2021 were reported at around US$17.2 Billion. Although this figure is lower than the quantum of investments made in China in the same period, it is a healthy 55% more than the US$11.1 Billion VCs invested in India in the year 2020. Here’s an even more interesting data point: in July 2021, VCs invested around US$8 Billion in India, in comparison, their investments in China were approximately US$5 Billion. This was the first time since 2013 that India attracted more VC investments than China.

One swallow does not make a summer, but there are many reasons to believe that significantly higher levels of risk capital will become available to Indian entrepreneurs- and especially to those in the tech space. While most of these have to do with India’s intrinsic strengths, there are also some external forces at work. Here is what I believe will fuel India’s tech entrepreneurs over the course of the next five years or so.

  • Steep increase in the number of Indian unicorns:

The first 9 months of 2021 alone have seen 28 new unicorns (a term that denotes startups with valuations of US$1Billion or more) emerge in India. This number stood at 38 at the end of 2020.

  • Fintech innovation:

India has seen several innovative fintech come up in the last ten years, many of which are already unicorns or on their way there. As the global banking and financial services industry look for disruptive solutions and new ways of building ecosystems, many of these “Made in India” innovations will become globally relevant and hence attractive investment opportunities.

  • The rise and rise of Edtech:

As a result of the pandemic and the emergence of interactive technologies, the learning and education space has undergone a massive transformation in the last two years. Not just in the early school years but also coaching for various entrance exams. Byju’s for example, is valued at almost US$16.5 Billion, and has already acquired 9 other Edtech companies in recent months. Like fintech, the Edtech opportunity too has the potential to tap global business opportunities.

  • Rising interest amongst western VC funds:

Existing investors are looking to expand their Indian portfolio, with some big-name investors like Tiger Global making 25 investments in India between January and August 2021 (in 2020, they invested in 18 startups). New VC firms that have not previously invested in India too are also entering the market. Andreessen Horowitz (a16z) fund, for example, recently closed a US$260 Million investment in crypto player CoinSwitch Kuber (valuing it US$1.9 Billion). Reports suggest a 60% increase in participation by US investors in Indian fintech startups over the last three years. The Unacademy group, another major Edtech player in India, recently raised US$440 million (investors included non-US funds as well)- valuing the startup at almost US$3.5 Billion.

  • Many global giants already have an Indian presence:

It was recently reported that one in 12 global unicorns have their technology centers based in India (source: August report of the IVCA). As Indian ventures and their innovations gain global visibility, I believe many more global organizations will set up shop in India (As elaborated in my earlier blog – Global Captive Centers in India: Can add Value If Set Up Differently).

  • Strong talent base:

India has a large, trained pool of tech and managerial talent that can be attracted to startups both by higher compensation made possible by Venture Capital backing and the thrill of creating something new. Such talent can form the crucial leadership and middle layers as these startups scale and grow rapidly.

  • Entrepreneurship on the ascent:

Increasingly, young graduates are turning entrepreneurs– and choosing this avenue instead of the safety of “safe” jobs with established companies. And of course, there are senior leaders from various companies who are also getting bitten by the startup bug and leaving to start/mentor various early-stage ventures.

 

Conclusion

 

Of course, there’s also the elephant (more accurately, the dragon) in the room. The Chinese Communist Party leadership has, in the past year or so, made a number of major policy changes with the apparent intention of targeting China’s home-grown Big businesses (tech and others). The Chinese government’s seeming unwillingness to come to the rescue of defaulting real estate majors is another event that has muddied waters for investors. Western investors have significant exposure to many of these companies whose wings have clearly been clipped. Strains in diplomatic and economic ties between China and the west are expected to trigger a slowdown in fresh investments, if not cause an exit from Chinese businesses.

Capital chases the best risk-adjusted returns and so will always gravitate to where investors expect the best outcomes. India, with its relative political stability, acknowledged track record of democracy, continuing commitment to reforms, and growing stature as a global innovation hub makes it an attractive alternative.

Image Credits:

Photo by ThisisEngineering RAEng on Unsplash

Capital chases the best risk-adjusted returns and so will always gravitate to where investors expect the best outcomes. India, with its relative political stability, acknowledged track record of democracy, continuing commitment to reforms and growing stature as a global innovation hub makes it an attractive alternative.

Related Posts

POST A COMMENT