What is card tokenization?
Tokenizing credit and debit cards is a way to reduce the number of places where your card data can be found.
For instance, payments on Uber showed a warning that your card data will be saved with payment gateways such as Visa and Mastercard.
What it is saying is that a merchant like Uber will have to work with payment networks like Visa to convert the card details into a digital token, which is then used to validate transactions.
As a result, the card details you enter on the Uber app, or any online platform, are not stored on the company’s cloud servers, and are hence more secure.
What is the digital token being used?
The digital token is a randomized string, usually alphanumeric. So, a 16-digit card number gets converted to something like 8f9%yf57ljTa.
It is generated by computer programmes, and the card network tags the token to your actual card details, and relays the token to the merchant.
When payments are to be requested, the merchant sends this token to the card network, which matches it against the saved details and validates the transaction.
A third party accessing the token won’t have use for it, since tokens will be unique across combinations of card, token requestor and merchants.
How will tokenization prevent online fraud?
Card details saved on an app are stored in cloud servers, which if hacked, can give the hacker access to information like card numbers, expiry dates, name of holder etc.
Though most merchants put special mechanisms to store card details in an obfuscated manner, it’s much more difficult to hack a bank or a Visa than it is to hack websites and apps.
How does it differ from encryption?
The primary difference is that the token cannot lead one to the card details. In encryption, a computer programme obfuscates data using an encryption key,
and this key can turn the data back to its original form.
In tokenization, however, there is no way to know what data a token represents unless one has access to the databases of the actual issuer of that token.
In many cases, laws don’t consider tokens as “sensitive data”, and hence, companies don’t have to ensure the same compliance to protect them.
Why are your online payments failing?
Merchants have to contact users and have them re-enter card data for tokenization. Payments fail either because the customer didn’t heed reminders,
or because the merchant still doesn’t have tokenization infrastructure. For recurring payments, users will have to set up an e-mandate before a merchant can charge them.
For recurring payments above ₹5,000, approval has to be sought from the customer 24 hours before the payment, each time it is made. UPI autopay can also be used for payments under ₹5,000.