Use tokenization and common sense to keep your card safe from fraud

What is tokenization, why it matters for e-commerce, and is it safe enough?

Who doesn’t love shopping online? Whether we are booking our next holiday, ordering dinner after a long day at work, or simply indulging in a bit of retail therapy, we’ve all been there, browsing through catalog pictures, hunting for great offers, checking customer feedback and recommendation, and filling our cart. 

And then comes the checkout. 

The checkout is a crucial point for both buyers and merchants. Having to pull out a payment card, painstakingly entering the card data, the shipping address and other information causes many buyers to change their mind and never complete the purchase. It’s a common occurrence in the e-commerce business. It even has a name – cart abandonment. 

Online merchants have long since understood that they need to make the checkout as easy and seamless as possible to minimize cart abandonment and maximize returns. The obvious solution is to store the customer data so that next time they shop they don’t have to re-enter their information and can promptly check out before they change their mind. So, merchants started offering to save contact details, addresses and card information. 

Now this raises a whole new set of issues. Card information is sensitive. If it falls in the wrong hands, it can be used for fraudulent transactions. And merchants do not always have the right technology and practices to save card data safely. After several high-profile data breaches highlighted this issue, consumers were left with a dilemma – should I store my card information with the merchant and face the risk of fraud? Or should I enter my card information manually every single time I shop?

Enters tokenization.

Tokens are numbers that are stored and used instead of the real card number, to protect the real card number from fraud. A token looks and feels like a card number. A card number has 16 to 19 digits and includes information allowing banks and payment processors to route a payment transaction from the merchant terminal or online merchant page all the way back to the issuing bank who can then authorize or decline the transaction. A token has the same properties. When a payment is initiated with a token instead of a card number, it is routed just the same. And at some point, in the process, typically when the transaction goes through the payment network (for example Mastercard or Visa), the token gets mapped to the real card number and the transaction is processed. 

The true power of the token is that it is strongly linked to the token requestor (for example the merchant) and the device through which it is requested. For example, if I generate a token for my card on the Amazon online shop, it can’t be used to pay on the Flipkart online shop. Similarly, a token generated for a payment application in my phone can’t be used in someone else’s phone. So even if a hacker gets hold of my token, there is nothing much they can do with it.

The Reserve Bank of India has mandated tokenization from 1 October 2022. This means that online merchants, payment gateways, and payment aggregators are no longer allowed to store card data and must use tokens instead. If you’ve shopped online this year you would have seen notifications at the time of checkout offering, you to store your card information safely as per RBI guidelines. What this really means is that the merchant or the gateway is going to request and store a token for your card. 

This is great news for Indian cardholders as it makes their card information a lot safer. For merchants and payment gateways it meant significant efforts to comply with the mandate. For example, Paytm recently announced the tokenization of over fifty-two million payment cards. The benefit is that they can expect more people to save their card information, a better checkout process and a reduction in cart abandonment. 

Is tokenization the universal remedy to online card fraud? 

Certainly not. Yes, it protects the real card data and makes merchant data breaches much less risky for consumers. But data breaches are only one of the many ways your payment credentials may be at risk.  The most common type of fraud remains phishing and good old social engineering, in other words a fraudster using greed or fear to get a cardholder to share sensitive information, unknowingly or willingly. 

Phishing usually takes the form of emails or social media messages with an enticing offer (greed). For example, an airline supposedly distributing free tickets to celebrate their anniversary. Or it can take the form of a threat (fear). For example, urging you to log in to your bank right now as your account is about to be deactivated. Then it asks you to click on a link and takes you to a fake mobile banking login page. Or it installs some malware on your phone that steals your credentials later. Either ways you end up sharing your credentials, card data or other sensitive information with the wrong people. Social engineering operates in a similar way but with someone calling you and talking you into sharing your credentials, card data, or even payment transaction OTP. 

The best way to protect yourself against such threats is to use common sense and educate yourself. If something sounds too good to be true, it probably is. Don’t click on the link. And if someone calls you out of the blue and urges you to share your data, hang up, call back whoever they are pretending to be (your bank, a hospital, the electricity company) to check if the request is legit. There is a lot of information online about known scams and some Indian banks have done a great job creating video content to educate the public like Raho Cybersafe from RBL or Vigil Aunty from HDFC.

Do some research, learn about fraud, share with your loved ones. And of course, tokenize your card! 

The article has been written by Lucie Fonseca, Global Head, R & D, Giesecke+Devrient (Pune, India)