Homefinance News

Card tokenization: Putting the cherry before the cake

Card tokenization: Putting the cherry before the cake

Card tokenization: Putting the cherry before the cake
Profile image

By CNBCTV18.com Contributor Jan 4, 2022 8:28 PM IST (Updated)

The RBI’s recent moves on tokenization reflect well-intentioned regulation, with important practical details being overlooked

Recommended Articles

View All

“We are neither hawks, nor doves. We are actually owls.”, Raghuram Rajan had commented when defending the central bank’s rate hike some years ago. The RBI’s role in payment regulation can be described in similar terms.
The RBI mandates a number of card security features. Consider existing rules requiring chip-and-pin cards, SMS alerts, 2FA, and default domestic usage. It added to this list through recent curbs on auto-debits for recurring transactions.
Token what?
From July 1, merchants and payment aggregators (PAs) won't be able to store (credit or debit) card data. They may retain the last 4 digits of a card number and the card issuer’s name. But that’s all the information they can store. They aren’t permitted to store any other digits or details of a card.
Instead, merchants, PAs, banks, and card networks (in reverse order) must re-architect payment systems to enable card tokenization. Tokenization is a process in which card numbers are replaced with random ones, or a token. Beginning 1 July 2022, merchants and PAs may continue storing tokens – which are irreversible and non-sensitive placeholders for card details. But they must purge card data.
On paper, the rule seems promising. Avoid storing card data with merchants and PAs. Avoid data leaks. Reduce system vulnerabilities. Ensure data security. And say (despite all security measures) the merchant suffers a data leak: leave the infiltrator with a pile of tokens - a set of meaningless random numbers.
A classic win-win, right? Not quite. The devil, as always, lies in the details. Here, the details involve institutional unpreparedness, operational challenges, and a looming possibility of disruption in India’s payment ecosystem.
The challenge is that tokenization is complex. Few players like card networks (Visa, Mastercard) have technological infrastructure. And operate in a space with multiple stakeholders (issuing banks, acquiring banks, merchants, PAs). To implement tokenization, each of these stakeholders, most importantly, banks, must deploy technology infrastructure. At this time, they have not. And time is running out.
Unlike popular perception, infrastructure deployment for tokenization is not (and cannot be) a coordinated parallel effort among stakeholders. First, card networks must create base infrastructure. Next, banks must create theirs, and integrate it with card networks’. Merchants are the last leg in this chain. It is only after banks and card networks have combined their infrastructure that merchants can meaningfully engage with them. And offer tokenized card payment options to customers. It’s like baking a cake: bake the base, layer it with icing, add a cherry on top.
Concentration Risk
The deadline extension is also important to avoid concentration risk and preserve a level-playing field. How? Because the inevitable disruption in card payments (if the current deadline remains) will increase concentration risk in other payment methods. And increase dependence on banks and card networks, as they’d be the only entities in the payments chain with access to card data. Users may tilt towards UPI, which is already seeing extraordinary transaction volumes and outages due to system overload. And is not similarly impacted by the restriction on card data storage. Consumers will have lesser choice. And the payment ecosystem may become an uneven playing field. Certainly not a stated or intended policy objective.
Why bin the BINs?
The rules are disruptive on another count: the bar on storing card BIN ranges. The bank identification number (BIN) is the first few digits on a card. It is used to identify the card issuer (Visa, Mastercard etc.), the type of card (credit or debit), the location of issue (India, Japan etc.). Incidentally, BIN ranges are publicly available. And serve useful purpose: they help merchants and PAs offer customer support, process customer requests, mitigate fraud risk, and run campaigns and offers for customers. With the new rules, these services will likely undergo disruption. That will further imbalance the competitive field among payment methods, and hurt both consumer interest and entrepreneurial success.
The authors, Aparajita Srivastava and Saumay Bhasin, are Partner and Senior Associate at Ikigai Law. The views expressed are personal
Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!

Most Read

Market Movers

View All
Top GainersTop Losers