A purpose-driven, global fintech maven with over 21 years of experience, Ravi will be building the next-gen global commerce hub for merchants, acquirers, and fintech partners by leveraging APIs, AI/ML-driven multi-cloud, and hybrid cloud solutions. Previously, he has served several leading positions with domain-defining players like Visa, Bank of America, Barclays, Intuit, and Oracle. He has also spearheaded the ‘India Data Localization’ regulatory mandate, built omnichannel solutions in the acceptance, processing, risk and fraud, and alternate payments domains, and built a cutting-edge fraud and payments management platform for Visa Merchant Acquiring and Processing, among other notable payment feats like building Zelle.
With so much focus on tokenization in recent times, let us demystify what it is all about and why so much attention ? Tokenization is a process of replacing sensitive information with a non – sensitive information [token] either completely or partially, rendering the token useless for an unintended user.
Tokens are irreversible, original data cannot be derived back using a key unlike cryptographic process. It follows principle of ‘pseudonymization’ [Pseudo Anonymization or simply put alias or surrogate] for sensitive data like Aadhar, SSN, Credit/debit Card, Bank ac/c, phone, or DOB.
A tokenization system links the original data to a token but does not provide any way to decipher the token and reveal the original data.
As per RBI directive on PA-PG guidelines and Card on file storage guidelines, sensitive card data which is currently stored by the payment ecosystem e.g. merchants, acquirers, payment gateways, PSPs, acquirers for various business use cases like subscription, recurring payments can no longer be saved and any payment card data which needs to be stored should be in tokenized form only. Also existing payment card data should be deleted as of 1st Oct. Currently each entity stores the data in their system in a proprietary format with varied levels of security standards.
With rising volume of digital payments especially for card on file use cases where the consumer would store their sensitive card information with multiple entities, any weak link in the eco system exposes the consumer to major risk of data theft with potential financial loss putting lot of stress on the entire payment ecosystem to cancel the card, prevent fraudulent unauthorized transactions on the card, address chargebacks for merchants and again applying for a new card and carefully saving the card again for future purpose
How tokenization will improvise the big payment system reform – Any major payment system in India should enable safe, quick and affordable digital payments. While the payments are getting quicker, faster and affordable, safety at scale still remains an opportunity to be beefed up to drive the adoption of digital payments further.
Tokenization ensures standardization for such card on file transactions through higher security standards which is irreversible as compared to existing reversible cryptographic standards.
Let us look at some key benefits of tokenization over traditional card on file storage
- With rising subscriptions and recurring economy, intent based unique tokens, enables consumers to manage multiple subscriptions (COF or SI) very securely. Each token generated at a particular merchant can be used only at that merchant with dynamic validation of token within transaction context. So if the merchant’s token database were to be compromised, bad actors cannot use those tokens at any other merchant or on that merchant itself due to the dynamic transaction level controls.
- Greater protection against data theft due to stronger storage and usage security
- Higher customer control to view and manage tokens and set controls
- Drives standardization for card storage across eco system rather than every entity implementing their own standards
- Tokens can be used for online card on file and device based tap n pay contactless payment on mobile devices
Rising digital payments in India need secure standards for online payments use cases mentioned above which are key drivers for tokenization. Tokenization can eventually dovetail with the broader data protection standards which is already being evaluated for future. Tokenization is a massive change across the ecosystem demanding significant investment by payment players, banks, card networks to adopt and adhere in true spirit.
Post October, there would be some disruptions in the ecosystem as any new change will cause some friction in such massive payment system built over decades. In the long run, tokenization will ensure greater security for any recurring subscription payments initiated by customer or merchant with greater customer controls to see list of merchants where the card is stored and ability to delete, suspend the subscription if needed. For a nation of our size, this is a needed shot in the arm to drive security and consumer data protection.
Is India ready to embrace another transformational payment trend being the only country to embrace tokenization at population scale ? while tokenization is not a new concept, it existed for over a decade, but mandating the adoption at scale like ours is a herculean task. With concerted efforts by the ecosystem in more than last 12 months, most of the key players are ready for most of the use cases with the right systems, tools and innovative solutions in place to counter any disruption. Some use cases for Standing Instructions are still being thrashed out to meet the guidelines. So far nearly 150 million tokens have been generated while the numbers continue to rise, demonstrating adoption across ecosystem.