Tokenization in online purchase

Table of Contents

Tokenization in online purchase: Relevance for UPSC Exam

General Studies III- Indian Economy

The RBI’s deadline for tokenization of cards used in online payments passed on 30 September.

Tokenization refers to the replacement of credit and debit card details with an alternative code called a ‘token’.
This token is unique for a combination of card, token requestor (the entity that accepts a request from the customer for tokenization of a card and passes it on to the card network to issue a token) and the device.

Tokenizing credit and debit cards is a way to reduce the number of places where your card data can be found.
For instance, payments on Uber showed a warning that your card data will be saved with payment gateways such as Visa and Mastercard.
What it is saying is that a merchant like Uber will have to work with payment networks like Visa to convert the card details into a digital token, which is then used to validate transactions.
As a result, the card details you enter on the Uber app, or any online platform, are not stored on the company’s cloud servers, and are hence more secure.

The digital token is a randomized string, usually alphanumeric. So, a 16-digit card number gets converted to something like 8f9%yf57ljTa.
It is generated by computer programmes, and the card network tags the token to your actual card details, and relays the token to the merchant.
When payments are to be requested, the merchant sends this token to the card network, which matches it against the saved details and validates the transaction.
A third party accessing the token won’t have use for it, since tokens will be unique across combinations of card, token requestor and merchants.

Tokenization can be performed only by the authorized card network and recovery of original Primary Account Number (PAN) should be feasible for the authorized card network only.
Adequate safeguards have to be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network.
RBI has emphasized that the integrity of the token generation process has to be ensured at all times.

Transaction safety: Tokenization reduces the chances of fraud arising from sharing card details.
Easy payments: The token is used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.
Data storage: Only card networks and card-issuing banks will have access to and can store any card data.

The primary difference is that the token cannot lead one to the card details.
In encryption, a computer program obfuscates data using an encryption key, and this key can turn the data back to its original form.
In tokenization, however, there is no way to know what data a token represents unless one has access to the databases of the actual issuer of that token.
In many cases, laws do not consider tokens as “sensitive data”, and hence, companies don’t have to ensure the same compliance to protect them.