Debit and credit card rules for online payments will change from January 1, 2022 as the Reserve Bank of India (RBI) has asked merchants and payment gateways to remove sensitive customer data on cards saved on their end from next year. Instead, these gateways will use encrypted tokens to carry transactions.
This new rule, according to the central bank, will make online payments more secured.
So, what is the new RBI rule exactly about?
RBI is planning to restrict merchant sites from saving the card details of customers from 2022. No entity in the card transaction/payment chain, other than the card issuers and/or card networks, will store the actual card data.
And, what is tokenisation?
Tokenisation is the process of turning sensitive data into 'non-sensitive’ data called "tokens". These tokens convert a debit or credit card holder’s 16-digit account number into a digital credential that can’t be stolen or reused.
This token — representing the customer's card data — is saved in the merchant’s payment system and processes the transaction. Even in cases of data breach when payment tokens fall into wrong hands, the PAN stays secure and thus, the tokens are useless to cybercriminals.
How will the new rule impact customers?
After RBI’s latest decision, platforms won't be able to store card credentials of a shopper in any form.
For instance, when customers shop on an e-commerce site for the first time, they are asked to feed the 16-digit debit card number and then the CVV code. However, when they buy another item from the same platform, they can see that the site has already stored the 16-digit card number and they just have to put in the CVV and then the OTP is generated by the bank to make the purchase.
With the new
RBI order, this won't be the case anymore and a shopper will have put in their entire card details when they shop for something.
What will customers need to do now?
Once customers start purchasing an item, the merchant will initiate tokenisation and ask for consent to tokenise the card. Once consent is given, the merchant will send the request to card network.
The card network will create token, which will act as proxy to 16-digit card number and send it back to merchant. The merchant will save this token for future transactions. Now, they will be required to enter CVV and OTP like before to give approval.
So, does this mean that customers will have to memorize 16-digit debit, credit card numbers?
The RBI had said there will be no requirement to input card details for every transaction under the
tokenisation arrangement
"Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of RBI to deepen digital payments in India and make such payments safe and efficient shall continue," RBI release said.
How secured will this 'tokenisation' be?
When the card details are saved in an encrypted manner, the risk of fraud or compromised data gets reduced, RBI noted.
(Edited by : Jomy Jos Pullokaran)
First Published: Dec 21, 2021 3:42 PM IST