How does tokenisation prevent online card fraud?
October 18, 2022
Why has the RBI mandated the generation of a token for online merchant purchases? How will this move keep hackers and scammers at bay? Will it lead to better consumer security?
The story so far: The Reserve Bank of India (RBI) has mandated the tokenisation of credit/debit cards for online merchants from October 1. Till then, card details for online purchases were stored on the servers of these merchants in order to help customers avoid keying in their details every time they shopped with that merchant.
What is tokenisation?
As per the RBI’s FAQ on tokenisation updated late last month, tokenisation “refers to the replacement of actual card details with an alternative code called the ‘token’, which shall be unique for a combination of card and the token requestor (i.e. the entity which accepts the request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token).”
So, if you use a mobile app or a website for online purchases, the merchant can, on your behalf but only with your explicit consent, raise a request for a token with the card issuing bank or the card network such as MasterCard.
Why is tokenisation necessary?
When you visit a restaurant, or even an ATM machine, it is possible for card thieves to clone your card with a skimmer, a gadget that quietly reads the magnetic strip at the back of your card. Similarly, hackers can also break into online websites and mobile apps that store your credit card details. Such data breaches could give con artists access to millions of cards in one go which are then sold on the dark web.
To help lessen the chances of such fraud, some banks have mandated the use of an OTP delivered to your registered mobile number to withdraw cash at ATMs. Other banks have enabled the use of their mobile app to allow cash withdrawal without the physical use of cards. Some credit card-issuing banks allow limits that you can set up yourself, per day, per transaction, etc on the bank’s app. The tokenisation mandate of the RBI is a similar exercise in caution.
As per the RBI annual report 2021-22, in FY20 there were a reported 2,677 cases of card fraud via the internet involving ₹129 crore. While in FY21, the number of cases decreased to 2,545, it further increased to 3,596 cases in FY22 with the amount involved being ₹155 crore.
What are the benefits of tokenisation?
The RBI says that a tokenised card transaction is safer as the actual card details are not shared with the merchant.
Even if a hacker/scammer were to get their hands on one’s token number, they would not be able to make indiscriminate use of it. Deep Agrawal, head of payments at PhonePe explains: “The token generated upon request for a specific merchant is unique to a specific card number and is usable only on that particular site or mobile app. The token is useless outside of that merchant’s ecosystem.” He also added that the “new mandate is only for the use of credit/debit cards online. For offline merchants, users would continue to swipe the cards on the POS machines as per previously existing guidelines.”
Popular card network Visa further explains the concept of tokenisation through the example of a metro train ticket. It is useful only for that route and not on any other. Similarly, the unique token generated for a specific site is only applicable on that site and nowhere else. And if an undesirable third-party gains access to that specfic token and shops within that specific website, the chances of identifying the party are more as their login and phone details would be with the site. However, regardless of whomever you shop with, be it Amazon or Ola or Swiggy, the app should ask your permission to use your credit card details for it to tokenise your card.