By Prashanth Pereira, VP & SBU Head – Emerging Businesses & Technologies, Manipal Technologies
On 08 January 2019, the Reserve Bank of India (RBI) issued guidelines for card tokenization stating that banks with the support of card networks can tokenize transactions made through debit, credit and prepaid cards with a perspective to enhance the security of payment systems in India.
Thus, with this circular RBI has defined roles & responsibilities of card networks & issuing bank w.r.t enhancement of tokenization acceptance as a service in India focusing simultaneously on customer’s security & centricity.
GDPR and Data Protection Bill
The proposed Data Protection Bill 2018 essentially makes individual consent central to data sharing. The bill notes that the right to privacy is a fundamental right. Unless you have given your explicit consent, your personal data cannot be shared or processed. This also means that the onus of the security of the data lies on the data processer/owner who are obligated to do so in a fair and reasonable manner.
Failing to meet these provisions can cost companies dear, with the bill laying down penalties that can go up to ₹15 crore or 4 per cent of a company’s total worldwide turnover.
What is virtualization?
Virtualization is to eliminate the dependency on the physical form factor. The solution is simple. It is a safe and secure identification and authentication mechanism that uniquely authorizes the user without using any physical or permanent number.
Virtualization offers added security, higher approval rates, and better transaction management – all of which translate to better consumer experiences. Various digital commerce solutions will be introduced to make online commerce more secure. While the physical card will probably remain within arm’s reach as an essential payments tool, its level of importance will diminish in the future as more consumers become familiar with tokenization.
Why is virtualization relevant to Prepaid Instruments?
RBI allowed Card networks to onboard PPI issuers to join their network. Non-bank PPI issuers are permitted to participate as members / associate members of authorised card networks.
• Within a year of discontinuing paper vouchers, RBI mandated Non-bank PPI issuers to issue EMV Chip cards to ensure inter-operability
• Mandate also enforces a strong risk management system to be necessary for the PPI issuers to and ensure customer protection
• PPIs for cross-border outward transactions have also been permitted
The above regulatory changes have imposed a stringent fine in case of failure to meet guidelines and pose a challenge to PPI providers to adapt to rapidly changing ecosystem. App based virtualization of prepaid instruments is a very cost effective and secure way for the service providers ensure a smooth transition for their customers without changing the way they transact at any PoS
How is Virtualization different from Tokenization?
Virtualization is a creating a virtual (rather than actual) version of something. It utilizes the concept of tokenization which replaces sensitive data. Virtualization enables a user to generate a token at will instead of having to request and then use the same.
Virtualization was developed keeping certain key aspects in mind
1. Ease of usage,going with customer’s instincts
2. Protecting User Credentials
3. Eliminate Network Dependency ( Works offline)
4. Adhering to existing ISO85/83 network standards
5. Is a software-based solution
What makes Virtualization a better option?
Currently, tokenization systems are online and pull based, which means that it is network dependent and must be requested form the customer. Secondly it only takes care of the transaction and not the credentials of the user.
Virtualization solutions, on the other hand ensures that the user credentials never sees the light of the internet, effectively securing the identity and the transaction of the user. Since the solution is not network dependent, there is ease of use for the customer. The actual card number and customer credentials are secured in the database of the Issuer and is replaced by a algo based solution which generates dynamic tokens. The dynamic tokens generated and then decoded by our solution at the time of authentication, it’s almost impossible to reverse-engineer or compromise a token making the process of virtualisation superior to other methods of encryption. Virtualisation is tokenization enhanced.
History of Tokenization in Payments
Tokenization is not a new concept, it has been used in the digital world since the 1970s to isolate real data elements from exposure to other data ecosystems.
In 2001, TrustCommerce created the concept of Tokenization to protect sensitive payment data for a client. TrustCommerce protected customers from the risk of storing card holder data, if their systems were ever hacked. TrustCommerce developed TC Citadel®, where customers could reference a token in place of card holder data and TrustCommerce would process a payment on the Merchants behalf.Further, in 2005, the application of Tokenization was applied to payment card data by Shift4 Corporation.
Card tokenization made entry into India with launch of Samsung Pay using which customers with Samsung Mobile devices could make payments at PoS terminals (NFC & non-NFC enabled). As other players keenly watched the space, Reserve Bank of India (RBI) with its latest circular has laid down the rules for card tokenization.
If tokenization is an old concept, why wasn’t it adopted earlier for payments and credentials management?
Since 2005, Visa Inc.’s Visa Token Service, American Express American Express Token Service and MasterCard have been exploring and testing the technology.
However the challenges to enter the main stream market was primarily due to the following issues
1. Pull based solution – not customer centric
2. Network dependency needed to pull a token on-demand
3. High cost of providing the services
4. Lack of acquiring mechanisms on the merchant side
Tokenisation was made successful in US by Mastercard only in the B2B Space. However in the B2C space the payment networks were largely unsuccessful. The reason being that it was perceived that the technology had potential however the cost ineffective due to high network dependency. Most importantly the largest factor was that it went against a customer’s natural instincts which led to lower adoption.
Virtualization to protect user credentials
Originally, Identity cards were first used to compare one’s face to a photo in a passport. But as the years passed, an Identity has evolved into credentials. Today you identify yourself at every aspect of your life.
The way you identify yourself has also grown from a photo to using face, hand, or biometrics to access everything. Electronic identity cards (or e-IDs) even store this information.
If credential information is stored in multiple locations for multiple uses then it is likely that this information can be at some point of time be accessed from some or the other site which has a vulnerability.
Virtualization, ensures that the credentials are in the company’s database and what is available in the network is just a maze of numbers that cannot be co-related to the user.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]