In the world of global e-commerce, we often store our card details with various merchants for future transactions, making life more convenient. However, this practice comes with risks, as having our card information stored in multiple places increases the chances of it being stolen or misused.
To address this concern in the Indian sub-continent, the Reserve Bank of India (RBI) mandated a solution called tokenization for all Indian merchants, processors and acquirers. This process replaces actual card details with a unique code known as a "token". This token is specific to a combination of a payment card, the requesting entity (like a merchant), and the tokenization service provider
In September 2021, the RBI issued a circular instructing that only card issuers and card networks should store actual card data. Any other entities involved in the payment chain must purge this data. They can, however, retain limited information, such as the last four digits of the card number and the card issuer's name, for transaction tracking and reconciliation purposes.
Despite these regulations, one issue remained for Guest Checkout transactions. These transactions occur when cardholders manually input their card details during a purchase. For these transactions, follow-on transactions such as refunds and payment captures require payment card data which, accordingly to RBI guidelines, must be purged. And a token could not solve this problem as token is only requested when a customer offers their consent to tokenize their information. Recognizing this gap, the Reserve Bank of India (RBI) urged all payment networks to develop a solution for implementing tokenization services specifically for guest checkout transactions.
Because user consent wasn't obtained for tokenizing these cards, and entities are no longer allowed to store all card details, managing post-transaction activities (like chargeback handling, refunds and settlement) for guest checkout transactions becomes tricky. Previously, such activities relied on the stored Card-on-File (CoF) data, which is now prohibited for entities other than card issuers and networks.
One solution emerging to address this challenge is Alternate IDs (Alt IDs). This works by tokenizing guest checkout transactions, replacing the actual card number with a unique token provided by the payment networks. This way, sensitive card data remains secure and protected from exposure, aligning with the RBI's mandate and ensuring safer transactions for all parties involved. Indian Merchants and Payment Service Providers (PSPs) are mandated to process domestic guest checkout transaction via Alt IDs
PayGlocal , through our connection with the card networks, now supports Alt IDs provisioning and transaction processing as a unified solution. All merchants integrated with PayGlocal will have access to this feature by default for India issued payment card transactions.
Transaction flow:
- The customer enters their card details on the merchant's payment page and begins the payment process.
- The merchant sends these details to PayGlocal, the Token requester.
- PayGlocal forwards the Alt ID generation request to the relevant card network.
- The card network responds by providing a card-specific Alt ID along with issuer approval and a transaction-specific cryptogram to PayGlocal.
- PayGlocal then initiates the transaction using the Alt ID for further processing.
Benefits:
Alt ID offers several advantages for both merchants and end-customers, similar to a card-on-file tokenization solution:
- Merchants can smoothly transition their customers to the Alt ID solution without requiring any changes.
- The solution provides a secure option for cardholders who prefer not to save their cards with merchants and wish to avoid signup processes
- By integrating with PayGlocal for the Alt ID solution, merchants can ensure compliance with RBI guidelines.