As per RBI mandate starting 1st October 2022, actual card number, CVV and Expiry date and any other sensitive information related to cards cannot be stored by merchants or payment aggregators/gateways for processing online transactions.
What is tokenization?
Tokenisation refers to replacement of actual or clear card number with an alternate code called the “Token”. This shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and the merchant (token requestor and merchant may or may not be the same entity).
Where will these Tokens get used?
Once created, the Tokenised card details will be used in place of an actual card number for future online purchases initiated or instructed by the card holder.
What is the benefit of tokenisation?
A tokenised card transaction is considered safer as the actual card details are not shared / stored with the merchants to perform the transaction.
How can the tokenisation be carried?
Step 1 – The card holder can get the card tokenised by initiating a request on the website/app provided by the token requestor and any such similar facility provided by the merchant.
Step 2 – The token requestor / merchant will forward the request directly to the Bank which issued the applicable credit card or to Visa / Mastercard / American Express, with the consent of the card issuing Bank.
Step 3 – The party receiving the request from Token requester, will issue a token corresponding to the combination of the card, the token requestor, and the merchant.
Is the Tokenisation guideline applicable for both Credit and Debit cards?
Yes. Starting 1st October 2022, both Debit and Credit cards have to be Tokenised
How can I manage my tokenised cards?
Bank will provide a portal to the card holders to view and manage the tokenised cards. Card holders can view / delete tokens for the respective cards through this portal. Customers can also call the Phone Banking service to place a request to manage tokenized cards
Will tokenisation have any impact on the POS transactions that the card holder does at merchant outlets?
No. Tokenisation is only required for carrying out the online transactions
Are there any charges that the card holder needs to pay for availing this service?
The customer need not pay any charges for availing the service of Tokenising the card.
Who can perform tokenisation and de-tokenisation?
Tokenisation and de-tokenisation can be performed only by the card issuing Bank or Visa / Mastercard /American Express who are referred as authorised card networks.
Are the customer’s card details safe after tokenisation?
Ans. Actual card data, token and other relevant details are stored in a secure encrypted mode by the card issuing Bank and / or authorised card networks. Token requestor / merchants cannot store full card number or any other card detail.
Is tokenisation of card mandatory for a customer?
Ans. No, a customer can choose whether or not to let his / her card tokenised. If not Tokenised, starting 1st October 2022, the card holder must enter the full card number, CVV and Expiry date every time to complete their online transactions.
How does the process of registration for a tokenisation request work?
The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.
Is there any limit on the number of cards that a customer can request for tokenisation?
A customer can request for tokenisation of any number of cards to perform a transaction.
Can the customer select which card to be used in case he / she has more than one card tokenised?
For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor / merchant.
Once tokenised, how will the customer see the card details on the merchant page?
The customer will see the last 4 digits of the card on the merchant page
What will happen to the token once the customer’s card gets replaced or renewed or reissued or upgraded?
The customer should again visit the merchant page and create a fresh token.
Will the card tokenisation need to be done at every merchant?
Yes. A token must be unique to the card at a specific merchant. If the customer intends to have a card on file at different merchants, then tokens must be created at all the merchants.
If the card holder is having 3 different cards, then is the card holder expected to create 3 different tokens at the same merchant.
Yes. As mentioned earlier, token must be unique for a combination of card and merchant.
Can the customer view the list /modify the status of the tokens stored at merchant apps/website?
Mastercard Credit Cards the customer can login to ICICI Bank Internet Banking, visit the Credit Card section and click on the option for “Manage Tokens” and the select the desired Credit Card Number
For Mastercard Debit Card the customer can login to ICICI Bank Internet Banking, visit the Debit Card section and click on the option for “Manage Tokens” and the select the desired Credit Card Number
For all other Credit & Debit Cards the customer can write to firstname.lastname@example.org