Card tokenization — As a merchant/issuer, what do I need to do?

There are plenty of resources available that explain card tokenization. Hence, I’m skipping that bit and trying to explain the impact and changes that one has to do as a merchant/issuer.

What’s the Impact on the Customer? If tokenization is not implemented then…

• Customer payment experience could take a hit as customers would be required to enter their card details each time they make a purchase online.
• Customers would use alternative payment modes. Like, UPI is the alternative for debit cards and net banking.

Where the tokens are generated and how will be exchanged?

NOTE: As of today (22/12/21), the tokens are being generated at network’s. However, issuers can also generate the token.

As a merchant, what shall I do?

• Ask your Payment Gateway (PG) providers to take the save card consent at their end so that you’ll not have to change/develop the frontend.
• If you’re already saving the cards on the PCI environment then you will have to purge all the cards before 01/01/22.
• If you’re having multiple PGs integrated then save the network token (NT) along with PG’s token (PT). This will reduce the dependencies of the PG. Even though you’ve one PG integrated, it’s recommended to store NT.
• Use NT to show card selection and use PT whenever the customer selects the card to pay.

As an issuer, what shall I do?

• Ask your switch provider to make CVV optional on ACS (access control system) or IAS (issuer authentication server) — after your discussion with the Network.