The Reserve Bank of India had recently issued a notice that is to be implemented from January 1 2022. The notice is likely to solve and reduce risk of card details being stolen of the card holders. The new rules set by the RBI has directed every merchants, payment gateways and e-commerce platforms like Amazon, FlipKart, Zomato etc. to delete all sensitive customer data available in their platforms to make the payments more secure. They instead have been asked to use encrypted tokens to make the transactions, which is being called the ‘Tokenisation’ process.
The RBI said, “With effect from January 1, 2022, no entity in the card transaction, payment chain, other than card issuers and or card networks, shall store the actual card data. Any such data stored previously shall be purged.”
“For transaction tracking and or reconciliation purposes, entities can store limited data – last four digits of the actual card number and card issuer’s name – in compliance with the applicable standards,” it added.
The banks have already started to notify their customers about the new rules set by the RBI.
The process of tokenisation is the replacement of actual card details with another alternative code which is called the ‘token’. The token shall be unique for a combination of a card token requestor which is the entity which will accept the request from the customer for the tokenisation of the card and will pass it on to the card network to issue a corresponding token.
The card holder will be able to get their card tokenised by making a request on the app provided by the token requestor. The token requestor will then forward the request to the card network which will in turn ask for the consent of the card issuer and issue a token corresponding to the combination of the card, token requestor and the device (Identified).
For example if you purchase an item from any e-commerce platform, the e-commerce platform will initiate the process of tokenisation. It will first ask for your consent to tokenise your card and once you give your consent the e-commerce platform will send the tokenisation request to the card network. The card network will then create a token, which will be acting as a proxy to your 16-digit card number, and send it back to the e-commerce platform which will in turn save it for future transactions too. Like earlier you will still have to enter your CVV and OTP to approve all your transactions.
The token requestors cannot store your Primary Account Number (PAN) which includes your card number or any other card details and the actual card data. Token and all the relevant details are stored in a secure mode by the authorized card networks. “Actual card data, token and other relevant details are stored in a secure mode by the authorized card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices/globally accepted standards,” says the RBI.
“In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen,” said the RBI.
In short from 1st of January 2022, you will not be able to save a debit or credit card details on any e-commerce platform and you will have to re-enter your card details every time you make an online transaction. To avoid this hassle you can choose to tokenise your cards. Once the e-commerce receives the token you can save that for future transactions.
However the new guidelines are not applicable to international transactions but only to the domestic cards and transactions. The customers won’t need to pay any extra amount to tokenise their cards.