scorecardresearch
RBI's debit, credit card rule to change from October 1; check all details here

RBI's debit, credit card rule to change from October 1; check all details here

Under RBI's tokenisation initiative, all companies are required to delete cardholders' all existing information and replace it with a unique 'token'.

According to RBI, credit/debit card users don't need to use the token system mandatorily. According to RBI, credit/debit card users don't need to use the token system mandatorily.

The Reserve Bank of India's (RBI's) card-on-file (CoF) tokenisation norms will come into effect from October 1, 2022. According to the RBI, the new tokenisation system will improve the cardholders' payment experience and also make it safer and more convenient.

The RBI also informed that, after the implementation of the tokenisation norms, the customers' credit card and debit card details - used in online, point-of-sale, and in-app transactions - will be stored as an 'encrypted' token in order to ease the transaction process. The new tokenisation guidelines were scheduled to come into effect from July 1, but the deadline was pushed to September 30.

However, according to news agency PTI report citing sources, most of the large merchants have complied with the RBI's card-on-file (CoF) tokenisation norms and 19.5 crore tokens have been issued so far.

The RBI last September prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of CoF tokenisation as an alternative to card storage.

What is tokenisation?

Under RBI's tokenisation initiative, all companies are required to delete cardholders' all existing information and replace it with a unique 'token'. Once the policy is implemented, merchants will not be allowed to save one's card information as, according to the RBI, this will prevent any misuse of cards and make online transactions more secure.

Soumee Bhatt, General Counsel, BankBazaar.com, says, "This means that going forward, instead of saving your card details on a web service – for example, Amazon – you would be saving a unique token. This token would be only for that particular merchant and that particular device. With tokenisation, customers can register or de-register their card for a particular use, i.e., contactless, QR code-based, in-app payments etc."

The RBI describes tokenisation as "the replacement of actual card details with an alternate code called the 'token', which will be unique for a combination of card, token requestor and device." The 'requestor' accepts a request from the customer to tokenise their card and pass it on to the card network to issue a corresponding token.

Benefits of tokenisation

RBI has stated that many entities, including e-commerce, merchant stores, websites and applications - involved in the credit/debit card payment transaction chain save users' card details.

Interestingly, it should also be mentioned that some merchants even force their customers to store card details before using their services and apps which ultimately increases the risk of users' sensitive information being stolen.

"Credit card data such as number, CVV and card expiry date is stored on the databases of web services for ease of payments. But this data faces info-security risks. We've seen in the past that data stored on some websites have been breached and leaked into the public domain. Once that happens, cards may be fraudulently used, and their owners may suffer financial losses. Hence, the Reserve Bank issued directives that no entity except card issuers or networks will be allowed to store debit or credit card details. Data already stored needs to be erased," Bhatt added.

According to media reports, many such incidents have occurred in the recent past where users' credit/debit card data stored by merchants has been compromised/leaked and sometimes even sold on the dark web or similar platforms. This stolen information could be used to carry out frauds.

Tokenisation aims to put a stop to such frauds as the merchant entities will only have a unique and randomly generated token code instead of the cardholders' actual information.

"As no card data is being saved anywhere except by the card network and issuer, chances of card data being lost or stolen is reduced. You also have the option to view the list of merchants with whom you have registered a token and de-register any such token in future via your issuer's app or internet banking. So, if you do not intend to shop on a site later or do not wish a recurring payment associated with your account to be renewed, you can delete the associated token. In case your card is renewed or replaced, you will have to explicitly consent to link it with the merchants with whom you had registered the card earlier. All this adds up to additional security," the BankBazaar.com General Counsel further said.

Why the deadline has been delayed?

According to RBI, transactions using tokens have not gained speed with merchants of all categories. RBI's statement reads: "These issues are being dealt with in consultation with the stakeholders, and to avoid disruption and inconvenience to cardholders, the RBI has announced extension of the said timeline of 30 June 2022 by three more months, i.e., to 30 September 2022."

Moreover, the industry has also raised several technical issues regarding guest checkout of transactions, which consumers can opt on a website without registering on it.

The industry is focusing to ensure that all stakeholders are ready to conduct tokenised transactions and implement alternate mechanisms to manage all post-transaction activities related to guest checkout transactions. In order to make sure that more tokenised transactions are conducted, the industry is also trying to make the public aware of creating and using tokens for credit/debit card transactions.

Charges for tokenisation

The tokenisation process is completely free of charge. However, it would be applicable only for domestic card transactions.

Is tokenisation mandatory for everyone

According to RBI, credit/debit card users don't need to use the token system mandatorily. However, if the card user opts to not use the tokenisation system, they will be required to manually enter credit/debit card details every time while conducting a transaction on an e-commerce or merchant website.

In addition to this, as stated by RBI, one will have to create separate tokens for each card they own.

How to create a token for debit, credit cards

Once the new norms are implemented, the cardholder has to go through a one-time registration process for every card, at every online merchant's website they intend to use the card by entering its details and providing consent to create a token during checkout. A token will be generated for a particular card at a single website.

Steps to generate the tokens:

  • Go to any e-commerce merchant website or application and start a transaction.
  • During the check-out, enter the details of the credit/debit card along with additional details.
  • Secure the card and tokenise it per RBI's latest guidelines by selecting the 'secure your card as per RBI guidelines' or 'secure your card' option.
  • Authorise the token's creation by using the bank-provided one-time password (OTP) sent to the registered mobile phone or email to complete the transaction.
  • After creating the token, the data of one's card will be replaced with the above-mentioned token.
  • To help one recognise their card while making a transaction, the last four digits of the saved card will be displayed when they revisit the same website or application for any future transaction, representing that the card has been tokenised.