Tokenisation

HDFC Bank Token Management Services [TMS] - One integration with multiple services

The solution has been approved as an interim measure for the processing of guest checkout transactions in line with the RBI circular titled Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)] CO.DPSS.POLC.No.S-760/02-14-003/2022-23 released on July 28, 2022.

From October 1, 2022,

Only a duly provisioned token can be stored by the payment system participants other than the card-issuers and/or card networks to provide a card-on-file experience to cardholders.
No entity in the card transaction/ payment chain other than card-issuers and/or card networks shall store actual card data, such as the Primary Account Number (PAN), Card Verification Value (CVV) or expiration date. Any such data stored previously shall be purged.
However, entities can store the last four digits of the PAN and the issuer name for transaction tracking and/or reconciliation purposes.

2. Guest checkout is defined as transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction. This includes the first transaction of the customer providing consent to create a CoF token where the transaction is processed on PAN rather than a token.

From October 1, 2022, the merchant or its Payment Aggregator (PA) involved in the settlement of such transactions, can save the CoF data for a maximum period of T+4 days (’T’ being the transaction date) or till the settlement date, whichever is earlier. This data shall be used only for the settlement of such transactions and must be purged thereafter.
For handling the other post-transaction activities, acquiring banks can continue to store card data until January 31, 2023. The merchant/PA may work with their acquiring bank to identify and finalise an appropriate transaction reference number-based process that can help them handle post-transaction activities.
Entities can store the last four digits of the PAN and the issuer name for transaction tracking and/or reconciliation purposes.

The that HDFC Bank Token Management Services (TMS) offer you seamless solutions to tokenise cards. Ours is an industry leading solution offering issuance and network tokenisation solution and is trusted by our trade partners across the country.

Key benefits of HDFC Bank Token Management Services:

Regulation – An effective way to comply with the RBI guidelines on CoFT.
Convenient – Single and flexible Integration for all networks and HDFC Bank issuance tokenisation solution.
User-friendly – Applicable to all domestic Credit and Debit Cards.
Lifecycle - Reports with token number or masked PAN (guest checkout) for ease of reconciliation and refunds processing.

A. Token Txn lifecycle maintenance

Reports: MPR and Charge Back reports will have token first 6 + last 4 digits for reference.
Refunds: Refunds can be initiated by merchant track ID or PG transaction ID or payment ID or transaction reference number across all payment gateway – CYB/MPGS/in-house PG of the bank.

B. Guest checkout and HDFC Bank issuer token txn lifecycle maintenance

Reports: MPR and chargeback reports will have PAN first 6 + last 4 digits for reference.
Refunds: Refunds can be initiated by merchant track ID or PG transaction ID or payment ID or transaction reference number across all payment gateway – CYB/MPGS/in-house PG of the bank.

What is Tokenization?

According to RBI norms, Online merchants are not allowed to store customers' card details. As a result, every time a customer makes an online payment, they need to enter all their card details (CVV, card no. expiry date).

To ensure faster checkouts, HDFC Bank has launched a Tokenization Service. It is a process that replaces customers Credit/Debit Card details with a unique 'token'. This way, payments are processed without exposing customer’s sensitive account information.

How does it work?

On activating Token Management Service, transactions are processed in the following way:

Customer uses a Credit/Debit Card to make payment on the website
Card number is transferred to the Tokenization system
System generates 16 digit 'token' to replace the original card number
Merchant site saves the newly generated 16-digit token in the place of the customer's original card number

Benefits of the Token Management Service

Regulation – An effective way to comply with RBI guidelines on CoFT.

User- friendly – Applicable to all domestic Credit and Debit Cards.

Convenient – Single and flexible Integration for all Networks and HDFC Bank Issuance Tokenization solution.

Flexible – Scope to extend it to a loyalty and Instant Discounting Solution

Easy – Customers can make quick and safe payments.

How to enable Token Management Service (TMS)?

Step 1 - Create a Token

With existing Card on File (i.e., stored cards), the merchant creates a token using the Token Management Service (TMS) API to migrate card details to Network Tokenized Vault
Merchant, on Cardholder consent, initiates TMS API for creation of Token, Merchant initiates standard Payment Gateway Transaction journey of Rs 2 for validation.
TMS connects with Network to create Token Reference ID [TRID]
Merchant receives the TRID to be used for subsequent transactions. Network updates the Token Authentication Verification Value [TAVV] with Issuers

Step 2 - Create Token during purchase

Customer enters card details (Card PAN, Expiry Date, Name of Cardholder & CVV) on merchant platform/website/pay page
Customer accepts T&C, allowing Network/Issuer to save card details
Merchant initiates the transaction for the purchase value, and TMS connects with Networks to create TRID
Merchant receives the TRID --- to be used for subsequent transactions.
Networks update the TAVV with the Issuers.

Retrieve & Transact

Customer selects the token options (first-6, last 4-digits, and issuer name)
Merchant initiates the transaction by providing the Token to the bank payment gateway, which will connect with Network to detokenize TRID and retrieve TAVV

Payment gateway sends the TAVV for authorization to the issuer

Tokenization FAQs

What is Tokenization?

Ans. Tokenization refers to replacement of actual card details with an alternate code called the “Token”, which shall be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for Tokenization of a card and passes it on to the card network to issue a corresponding token) and the merchant (token requestor and merchant may or may not be the same entity).
What is a Token Reference ID?

Ans. Token Reference ID [TRID] is a 16-digit number used by TMS to identify underlying stored card details.  Last 4-digits of TRID is same as the card number.
How can a Cardholder identify TRID against their stored Card?

Ans. Cardholder can identify the stored cards against TRID basis last 4-digits and Issuer Name.
Which type of cards can a Cardholder store on TMS? What details are stored?

Ans. At present, TMS is capable of tokenizing all variants of Visa and Mastercard cards; RuPay to go live by December 2021; Diners and Amex are work-in-progress.
Are Merchant required to take consent from cardholder to facilitate Tokenization?

Ans. Yes, Merchants are required to seek explicit acceptance of T&C by cardholders on their platform / webpage / payment page --- ‘to allow facilitation of Network/Issuer tokens.
Other than Token what details cardholder needs to enter on Pay Page for transaction completion?

Ans. The TMS stores Card PAN and Expiry Date; i.e. for any subsequent transactions on the same card, cardholders need to provide the CVV Number and complete authentication.
Where will these Tokens get used?

Ans. Once created, the Tokenized card details can be used in place of an actual card number for future online purchases initiated by the card holder.
What is the benefit of Tokenization?

Ans. A Tokenized card transaction is considered safer as the actual card details are not shared / stored with the merchants during the transaction.
Will Tokenization have any impact on the POS transactions that the card holder does at merchant outlets?

Ans. No. Tokenization is only required for carrying out the online transactions
What are the charges that the card holder needs to pay for availing this service?

Ans. The customer need not pay any charges for availing the service of Tokenizing the card.
Who can perform Tokenization and de-Tokenization?

Ans. Tokenization and de-Tokenization can be performed only by the card issuing Bank or Visa / Mastercard / Rupay / Diners who are referred as authorized card networks.
Are the customer’s card details safe after Tokenization?

Ans. Actual card data, token and other relevant details are stored in a secure mode by the card issuing Bank and / or authorized card networks. Token requestor / merchants cannot store full card number or any other card detail.
Is Tokenization of card mandatory for a customer?

Ans. No, a customer can choose whether or not to let his / her card Tokenized. If not Tokenized, starting June 30, 2022, the card holder must enter the full card number, CVV and Expiry date to complete the online transactions.
How does the process of registration for a Tokenization request work?

Ans. The registration for a Tokenization request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc.
Is there any limit on the number of cards that a customer can request for Tokenization?

Ans. A customer can request for Tokenization of any number of cards. For performing a transaction.
Can the customer select which card to be used in case he / she has more than one card Tokenized?

Ans. For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor / merchant.
Can a card issuer refuse Tokenization of a particular card?

Ans. Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor / merchant.
Is there a time-limit /auto-expiry of a tokenized card like an OTP? –

Ans. Token expiry will be the same as card expiry.
Will the tokenized card need to be stored at Merchant website? –

Ans. Merchants can store the token.
Will it be 1 token per card or multiple tokens per card is possible (1 card with separate token nos for diff merchant sites)?

Ans. Yes. Token should be different to card, token requester and merchant as a combination. Hence one card will have multiple tokens
Can customer opt for single-use / perpetual token for his card at the time of request?
Ans. The current COF tokenization talks about different tokens for different merchants and cards.
The limit will be fixed by the customer for each tokenized card. Will this block the available limit (like a prepaid/net safe wallet).

Ans. As per the current understanding, the limits can be there only at card level.
Is there a validity/purging period for the tokenized card (noted that the details can be viewed/deleted through dedicated portal)?

Ans. Token expiry will be the same as card expiry.
How will Refunds and Chargebacks work on Token Transactions?
Ans. Refunds and Chargebacks are facilitated using TRID instead of Card PAN in transactions facilitated using tokens.
Can a Cardholder de-register the token from Merchant Platform?
Ans. Yes. Cardholder has an option to de-register the token from Merchant Platform – Cardholder can request the Merchant or Card Issuer for de-registration of the token. Merchant will request TMS for deregistration basis customer consent.

We recommend that you approach your Relationship Manager to integrate with the HDFC Bank TMS solution.

Should you need any more information on the subject, we will be happy to assist you. Write to pghelpdesk@hdfcbank.com, or reach us on the service help desk number – 60017000, North East: 33557000 by prefixing your city code.