So, what actually is tokenization. It refers to the replacement of credit and debit card information with a "token," which will be unique for each card. The actual card details are not shared with the merchant during transaction processing, a tokenized card transaction is considered safer. Customers who do not have access to the tokenization service will be required to enter their name each time they place an online order.
Digital payments have spurred and supported economic growth, particularly during the pandemic's difficult times. At the same time, RBI's intent is to protect a variety of stakeholders - from payment gateways and aggregators to banks, wallet providers, as well as merchant sites, and consumers. Consumer interest via tokenization, making a more secure environment for the digital economy. The payments ecosystem in India have led to a greater degree of streamlined coordination between these financial institutions. The digital payments industry, is one of the pillars of India's rapidly growing digital economy. This stellar growth is being actively driven by the rise in supply and demand-side dynamics. On the demand side, a rapidly growing consumer base, driven by increasing smartphone penetration and availability of the internet, has brought about a paradigm shift in digital financial inclusion. Digital modes of payment, though still lagging behind cash payments, have emerged as strong competitors. The supply-side dynamics are built on a foundation of fierce competition, technological innovation, and an overall focus on consumer convenience in integrating digital financial services in their everyday lives.
The RBI has taken a proactive role in providing a regulatory foundation for this growth and is now attempting to strike a balance between consumer convenience and the security of financial data.
Tokenization has no direct impact on the payment process or the user experience, but it does provide an additional layer of protection to the transactions. It ensures that a person's sensitive information stays with them as they transact, eliminating all dangers associated with data vulnerability.
The RBI's proposal is well-intentioned; its goal is to improve data security and reduce the risk of data breaches; however, it is a significant departure from current standard operating procedure for digital payments transactions, and it may necessitate a major overhaul of existing tech systems.
The issues aren't merely technological; they're also business-related. Tokenization requires digitization in some way.
Currently, implementation is also a concern due to interdependence of stakeholders.
Therefore, a time-consuming and resource-intensive overhaul of internal mechanisms may be required. Merchants with a global presence may be able to implement these changes due to their financial strength and experience with tokenization in foreign jurisdictions.
Security concerns about tokenization vaults primarily arise since it creates a copy of the sensitive data and moves it to another location. Rather than effectively securing the data, it creates a single point of attack in tokenization infrastructure while acting as a high-risk target for data thefts. In a way, tokenization reduces security risks on the merchant side but transfers this risk upstream to the issuer.
It has been pointed out that using the same method for the same merchant can raise multiple security risks. If a malicious individual is able to retrieve the method and proceeds to conduct a dictionary attack, the payment card information could potentially be recovered. Further, any cybersecurity framework exists on three pillars - Confidentiality, Integrity, and Availability. There is a tendency to focus on confidentiality and availability of data while the integrity of the data is left unaddressed. However, if the integrity of the data is suspect, then that defeats the purpose of confidentiality and availability.
Tokenisation aims to limit the number of stakeholders who will hold this data. This also means that a dataset won't have any redundancy as well as lack the means to arrive at integrity in the event of a major failure. The failure could arise from not only hacking but also cascading coding failures.
To ensure a more seamless transition toward the new system, the recommendations have been further explained below.
Finally, the system—that is, regulators, businesses, and the government—must provide safety. Consumers in India do not have access to a comprehensive and timely dispute resolution mechanism. Multiple regulators in the banking and other sectors adds to the complexity. All of the regulators engaged have a dual mandate: to promote the industry's growth while also providing oversight. Consumer protection and interests aren't at the top of the regulatory priority list. Delays in the courts do not help. As a result, the next step is to put in place an effective consumer dispute and grievance resolution system.
References: