Tokenization

A game-changer in transforming online payments in India

India is heading towards a major transformation in the online payment eco-system, with Tokenization. The sole objective of this change in the way we store card-on-file data, is to prevent payment frauds & data breaches.

So then, what exactly is Tokenization?

Tokenization is a procedure of substituting sensitive card information (PAN) with a non-sensitive equivalent called token or a reference number.

The best metaphor of tokens will be a poker chip. Instead of risking placing thick wads of cash; poker chips are used for better and safer play.

It essentially helps enhance the level of security during a transaction, where instead of the card number, an alias is stored. This alias can then be used for the e-commerce transaction instead of the card number.


Its impact on your business

Well, if you are offering “save card” feature for a quick checkout experience of your consumers, you will now instead need to store an alias instead of the card number.

Most of your returning customers save their cards/payment instrument details (excluding CVV) on the website for a seamless checkout experience.

With the RBI guidelines effective 31st Dec 2021; Merchants, Aggregators & Acquiring Banks, cannot store customer card related information. Which essentially means that going forward Merchant, Aggregator or Acquiring Bank will have to enable tokenization and use these tokens to continue offering a similar seamless checkout experience for their customers.

Its impact on your end consumers

From a user experience standpoint, there is no impact on end consumers. However, for enabling tokenization on your platform, the consumer will have to give a one-time explicit consent for tokenizing their cards before proceeding with their OTP-based transaction. This consent would be taken even if the consumer adds their card number or any other payment details and opts in to save the information for future transactions.

How does PayPhi help?

Our PayPhi Tokenization Service enables your business to migrate to tokens instead of card-on-file and helps you comply with the RBI Guideline. Our platform is robust, safe, secure, reliable and a compliant digital payment solution for your business.

PayPhi Tokenization Service is a payment instrument token offering for Merchants and Payment Aggregators that facilitate secure token-based storage and retrieval of payment instruments along with seamless integration of EMV/Non-EMV token(s). You can simply integrate with PayPhi to generate tokens and process token-based transactions.

The features include –

  • Single interface for all major networks
  • Seamless integration with networks for EMV or Non-EMV tokens
  • Lifecycle management of Tokens
  • Facilitate token transactions

Types of Tokens

Acquirer or Card on File Tokens: e-commerce card-on-file tokens is an acquiring token which are not unique to any device & belong to a merchant.

Issuer or EMV payment tokens: are open-loop tokens facilitated by a Token Service provider. These tokens are used by replacing the payment credential (PAN) with different numeric value. These tokens are unique to a device and its merchant.


How does Tokenization work?

  • Token requestor enlist with a token service provider
  • Provisioning request is sent by the token requestor
  • Card credentials and cardholder identity and verification (ID&V) is processed by an issuer and assurance level with domain controls for the token is fixed
  • Generation of the token
  • Activation and provision of the token
  • Usage of the token by the cardholder in a payment transaction
  • Detokenization, domain check, confirmation, and transaction authorization
  • Use of token to clear and settle the transaction
  • Management of token through its lifecycle by token requestor

Let’s Get Started!

    Frequently Asked Questions

    How does a Merchant get users to generate tokens for their saved cards?
    Merchant will need to send PayPhi the card details once at checkout or at the time of saving a card. We would facilitate the generation and issuance of the token against the card that is being sent.
    Does a Merchant need to take consumer consent and send it for token provisioning?
    Yes, consumer consent is mandatory for tokenizing the card, and as part of token provisioning, the merchant will need to send the consumer consent indicator to us.
    Can Merchant generate multiple tokens for one card?
    As of today, the token that is generated is unique for a Card, Token Requestor, and Merchant.
    If the merchant is a Non-PCI Merchant, what token parameters will the merchant be able to store?
    Non-PCI merchants will only be able to store the token reference and the last 4 digits of the Card and Token number.
    If the merchant is PCI DSS compliant Merchant, what token parameters will the merchant be able to store?
    PCI Enabled merchants will be able to store Token Reference as well related Card Metadata that will be passed along with the tokenization response. For details kindly contact us
    Does Merchant need to send their end consumer details at the time of tokenization?
    For Rupay, the merchant will have to send consumer details along with tokenization. However, for other networks, consumer details are not mandatory.
    How do a Merchant process checkout transaction after token provisioning?
    After token provisioning, the merchant will need to send us the token reference generated at the time of provisioning, and we shall return the token credentials (token PAN and Cryptogram) that can then be used for the payment transaction via your acquiring channels.
    Would chargeback, refunds get affected due to tokenization?
    Chargebacks and refunds are not getting affected as such due to tokenization, in the case of instant refunds that are based on card number, they may get affected and can be looked upon the case on a case basis.
    How does a Merchant delete the saved card/token?
    After getting the consumer consent for deletion, the merchant may send PayPhi the request for deletion of the saved card.
    Can Merchant suspend and resume already saved card/token?
    Suspension and resume token is supported on Visa and Mastercard platforms, for Rupay, it's a work in progress.
    Can Merchant save the preferred card as default after being tokenized?
    Yes, the merchant may send us the request for setting their default card.
    What happens to the generated token if the card numbers get updated?
    Card renewal will be treated as a new card that is being registered and hence, the merchant may need to carry out the save card process for those renewed cards.
    What happens if the card expiry changes? Does the merchant have to re-register the token?
    In the case of the card, expiry gets changed, the same token can still be used without any changes at your end.
    What happens if the card is not eligible for tokenization?
    If the card is not eligible for tokenization, then the merchant may not be able to offer saved card functionality for that card, however, continue by every time keying in the 16-digit card number for such cards.
    What happens to offer and loyalty programs that were using Card Numbers as an identifier? How would that work after tokenization?
    The offerings which may be using full card numbers will have to switch to token numbers to continue with those programs. For further queries, kindly reach out to us.
    Are there any other means for tying a token to offers?
    Yes, while provisioning, PayPhi will send you PAR (Payment Account Reference) which can be utilized across tokens generated for that particular PAN and it would remain constant. PAR can be utilized to map all your loyalty offerings against tokens/cards.
    Will recurring payments (Standing Instructions) on the card work with tokens?
    Yes, as of today the schemes are working on supporting recurring payments on tokens and will be live soon.

    Know more about Tokenization

      Explore our other solutions



      Merchant Log in