To make online payments safer and secure, the Reserve Bank of India (RBI) has asked all merchants and payment gateways to remove sensitive customer data on cards saved on their end and instead use encrypted tokens to carry transactions. The new rule will come in place from 1 January 2022.
Banks have started informing their customers about the changes. “Effective 1st Jan’22! Your HDFC Bank card details saved on Merchant Website/App will get deleted by the merchants as per the RBI mandate for enhanced card security. To pay each time, enter full card details or opt for tokenisation,” is an SMS that HDFC Bank has been sending its customers since last week.
RBI issued guidelines in March 2020 saying that merchants will not be allowed to save card information on their websites to boost data security. It issued fresh guidelines in September 2021 giving companies until the end of the year to comply with the regulations and offering them the option to tokenise.
The RBI had ordered all companies in India to purge saved credit and debit card data from their systems from January 1, 2022.
When you use your card, debit or credit, for a transaction, the execution of the transaction is based on information like the 16-digit card number, the card expiry date, the CVV as well as the one-time password or transaction PIN. In fact, a transaction is successful only if all of these variables are entered correctly for a specific transaction.
Tokenisation refers to replacement of actual card details with a unique alternate code called the “token”. This token is unique for each combination of card, token requestor and device.
From January onwards, when you make the first payment to any merchant, you will need to give him/her your consent with an additional factor of authentication (AFA). Once done, you will complete the payment by keying in your card’s CVV and OTP.
What cardholders need to do from next month
- You start a purchase with a merchant
- The merchant initiates tokenisation by asking for your consent to tokenise the card.
- Once, you give consent, it sends a tokenisation request to the card network.
- The card network creates a token as a proxy to the card number and sends it back to the merchant.
- For making payment to a different merchant or from a different card, tokenisation is to be done again.
- The merchant saves the token for subsequent transactions.
- You approve transactions with CVV and OTP
When the card details are saved in an encrypted manner, the risk of fraud or compromised data gets reduced. To, put it simply, your risk gets reduced when you share the details of your debit/credit card in the form of a token.
“In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques,” RBI had said in its release.
The initiative is expected to make card transactions more safe, secure and convenient for the users.
The central bank had said that there will be no requirement to input card details for every transaction under the tokenisation arrangement
“Contrary to some concerns expressed In certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue,” RBI release noted.