Tokenization of Card: What is It and Why Is It Needed?


This blog details the concept behind the Tokenization of Card process. We explain the latest RBI regulation on Card on File Tokenization and how the payment industry is adapting to it.


Recently, RBI issued a new regulation on storing customer card data. This means that payment aggregators and merchants can no longer store the card information of any customer on their servers. 

But why would payment aggregators or merchants store customer card information?

Well, there can be two main reasons for the same:

  1. The customer may buy a product or service more than once
  2. The business may have a recurring billing model. They may offer subscription-based services

Either way, customers would not want to enter their card information again and again. This can get especially tedious for subscription-based products. 

tokenization of card

Most merchants and Payment aggregators used to store customer card information. This practice is known as the ‘Card On-File.’ 

As the name suggests, it literally translates to the saved customer cards on a server. 

This was- until RBI released their new guidelines

Now, merchants and payment aggregators needed to find another way to store card information.

Needless to say, asking a customer to enter their card information repeatedly was out of the question. 

Hence, they came up with an ingenious solution.

Tokenization of Cards

In March 2020, RBI enabled regulations that restricted custom card storage. 

However, in the latest guidelines, it is stated that no payment player- except the Issuing Bank- can store the actual card data. 

(The Issuing Bank can be stated as the customer’s bank. It is the bank that issued the credit or debit card to the customer)

Tokenization of cards came as a solution in response to these new regulations. 

But What is Tokenization of Cards? 

Tokenization of card is a process that:

  1. Takes the sensitive card information (for instance, the card number, CVV, and expiry date)
  2. And replaces it with a random ‘token’ 

So, every card number will have a unique token.

It is important to note that this token will be exclusive to the token requester and the merchant as well. 

What is a Token Requester, you might ask?

Well, a Token Requester is an intermediary that interacts with the card networks/banks and demands a token on your (the merchant’s) behalf. 

Only the Issuing Bank or the Card Network (Visa, MasterCard, etc.) can be a Token Service Provider. (Essentially the player that actually replaces the card details with a token)

This brings us to another big question.

How Does Card Tokenization Work?

Here is a quick brief that explains how the tokenization of cards works.

  1. The customer selects the product or service and initiates the payment from the merchant. Alternatively, the customer may be a regular subscriber. 
  2. Then, the merchant takes the card information and initiates the token request from the Token Requester.
  3. The token requester makes a call to the Card Network which acts as the Token Service Provider. Thereafter, the card network issues the Token.
  4. The Token Requester forwards the combined token data to the Payment Aggregator.
  5. Thereafter, the Payment Aggregator initiates the online payment processing.
tokenization of card

Important Note: Your existing Payment Aggregator may act as your Token Requester. This way, you (as a merchant) will not have to contract with different parties and face complications.

For instance, Cashfree Payments acts as both the Payment Aggregators and Token Requesters for all its customers. 

Now, we know that every token is unique. But did you know that no token can be used more than once?

For every token-based transaction, the Card Network generates a Cryptogram. This Cryptogram has an expiration date of 24 hours

This ensures that this token can never be used again. 

However, this entire process raises an important question. 

Why is the Tokenization of Card Needed?

Why did the RBI enforce this new regulation? What are the benefits of card tokenization?

Well, here’s a quick overview.

Higher Payment Security

For starters, it increases payment security. Cyber threats and payment frauds are on the rise worldwide. In fact, RBI reported bank frauds of 1.38 Trillion INR in the 2021 financial year. Steps like the restriction of card storage are a step towards a robust and secure payment ecosystem. 

Decreases Merchant Liability

Next up, it decreases merchant liability. The merchant no longer has to stay compliant with various regulations related to card storage.

Lesser Chances of Cyber Attacks

Moreover, it decreases the probability of hacker attacks. Merchants or payment aggregators no longer have access to card data. So, hackers have no incentive to attack or disrupt the servers of these players.

Increases Customer Ease

As you must be aware, storing card details speeds up online payment processing. It provides an overall better customer experience. 

However, tokenization has many other advantages in store for customers.

In case they lose their credit cards, a token for online payment can be re-issued without changing the PAN.

Moreover, if a merchant uses Token Requester services, no charges are levied on the customer for the tokenization process.

So, essentially, the customer gets an additional layer of security without any fee!

Despite all the advantages- the tokenization of Card process is not completely issue-free.

Let us explain why. 

Existing Issues with Tokenization of Card Process

Card Tokenization is not new.

However, all the players in the payment ecosystem will need to undergo a lot of changes to adapt to the new regulations. 

Tokenization of Card Implications for Merchants

Merchants can only store the 4 last digits of the customer card data. 

As a result, they have to delete any customer card data they may have saved before January 1st.

Moreover, they need to contract with a Token Requester. However, for ease of operations, most merchants may choose their Payment Aggregatorto act as their Token Requester.

However, there is another option that merchants may choose.

They may choose to become Token Requester themselves. 

This option is ideally viable for huge enterprises and MNCs. This is because becoming a Token Requester entails contracting with all major card companies separately.

Furthermore, it is important to note that PCI- DSS compliance is an independent organization. So, a merchant that is a Token Requester will need to juggle both the regulatory requirements. (PCI and Token Requester regulations both)

Tokenization of Card Implications for PAs and Card Networks

Payment Aggregator and Card Networks might have to face some issues as well. 

For starters, there is still some confusion related to the payment flow of transactions where card information is not stored on file. One use case of this is guest checkout transactions. 

Moreover, Payment Aggregators can only store the last 4 digits of the card information. So, this may cause issues in identifying important parameters. For instance, is the card a debit or credit card? 

These identifiers are important to processes like refunds and chargebacks. 

Tokenization of Card Implications for Customers

In the new tokenization card scenarios, customers would be the least affected. 

At most, they may need to enter their card number as usual and opt to save it via the checkbox. Thereafter, the merchant will trigger the tokenization process. 

Customers may also experience some hiccups as the entire payment ecosystem is still adjusting to the new norms.

It will be interesting to see what obstacles the payment ecosystem players run into. 

More interesting yet- how these players overcome those issues.

Speaking of which…

Interested in knowing about our Tokenization solution, The Token Vault

Get in touch with our team here