Not just a token move: RBI permitting more tokenisation reduces trade-off between security & ease-of-use compulsions in digital payments space


    By KUNAL PANDE

    The increasing adoption of digital payments begets demands for further improving convenience, resilience, security, real-time and cost. We have seen a variety of developments in terms of product innovation (e.g. UPI, e-RUPI, etc.), enhanced security features (OTP, alerts), risk management mechanisms (fraud checks, faster settlement, etc.). However, in many situations, these developments conflict with each other, like an additional factor of authentication increasing the transaction friction for the consumer. We continue to see high rates of dropout in e-commerce transactions and businesses are demanding reduction of transaction friction, wherein a customer could do transaction with one-click or even zero clicks. Tokenisation provides for both convenience and security of payment transactions. The concept has been widely adopted in the payment card industry globally.

    Tokenisation is a process of replacing sensitive data with non-sensitive data. In payments cards industry, it is typically used to replace cardholder’s card number (i.e., PAN) with a surrogate value called a ‘token’. Multiple methods of tokenisation exist within payments and vary depending on the parties in the payment ecosystem (merchants, acquirers, card networks or issuers). In merchants’ or acquirers’ tokenisation method, sensitive card information is stored in a secured vault and a token is used for processing payment transactions within their environment. Use cases for this method are recurring payments or one-click payments. The card network tokenisation method, unlike acquirer tokenisation, is interoperable. In this method, card network issues token to a requester (e.g. merchant, wallet, etc.) for payment processing, while the sensitive card information is securely stored in a vault within card network environment. Tokenisation, as we see, restricts availability of sensitive card information within a secure vault, and thus reduces risk of loss of such information from wider payment environment, on the one hand, and, on the other, alleviates the need for card-holder to put such sensitive information for each transaction, reducing payment friction.

    Tokenisation can be implemented using a variety of storage mechanisms viz. device-based, cloud based, app-based and card-on-file (CoF) and payment channels like NFC, MST, in-app, QR code, etc.

    RBI laid down directions for card tokenisation in January 2019, whereby, as an initial step, card-network-enabled tokenisation was allowed through mobile phones and tablets. RBI has, in August and September, extended the directions to include all types and storage mechanisms. The extension has allowed the industry to come up with innovative, secure and less-friction use-cases. The circular permits card-issuers to offer card tokenisation services as TSPs (Token Service Providers) for cards issued by or affiliated to them. A key part of this extension is allowing for CoFT (Card of File Tokenisation), a unique token issued by TSPs for a combination of card, token requestor and merchant.

    We see several organisations (merchants, e-commerce companies, fintechs) offering digital payments, working towards making checkout stage of a customer’s journey as seamless as possible through innovative mechanisms like one-click or zero-click payments. However, to do this, payment data, like card-holders PAN etc, needs to be stored so it can be accessed in the future without the customer having to re-enter. CoF is a method used for this purpose, wherein a merchant stores cardholders’ data securely for recurring usage. However, the cardholder data needs to be maintained by several merchants, albeit securely. CoFT, on the other hand allows merchants/acquirers to offer such frictionless payment solutions without the need of storing cardholders’ data, and thereby substantially reducing the risk of data compromise.

    In a nutshell, the new extension has enabled the industry to offer tokenisation service benefits of enhanced security, reduced fraud risk and less payment disruption (also read dropouts) across a wide variety of use cases. ‘Card Tokenisation’ shall enhance customer confidence on digital payments while also addressing an important need for making payment transaction frictionless and convenient to use.

    The author is Partner (advisory services), KPMG in India



    Source link