How RBI’s new tokenisation rule will effect credit/debit card payments?

Prabhat Nigam

13 Sep, 2022

The Reserve Bank of India (RBI) via notification has come out with a new rule of tokenisation which will make online payments safer and secure. RBI has mandated that from 1^st January, 2022 onwards any entity that is involved in the card transactions or forms part of the payment chain shall not store actual card data except the card issuers or card networks. Further, any such card data stored by these prohibited entities shall be deleted by them.

The entities that have been excluded from keeping the sensitive data have been asked to erase the sensitive data of their customers’ credit cards and debit cards from their end. Instead, they have been asked to use encrypted tokens to carry transactions from 1^st January 2022 onwards.

Now these entities have started informing their customers that their saved card details have been deleted and from 1^st January 2022 onwards the customers will either have to:

1. Fill in full card details every time they will be making transactions; OR
2. They can opt for the scheme of tokenisation.

The conversion of card data into a cryptic token shall be done after taking voluntary consent of the customer and would require Additional Factor of Authentication (AFA).

Backdrop of the new rules on tokensiation

This is not a hasty step taken by the RBI. The RBI^[1] had issued guidelines in the March of 2020 asking merchants not to store card data of their customers on their websites and apps. Again fresh guidelines were issued in September of 2021 and gave these entities an ultimatum to delete the sensitive card information of their users by the end of 2021 and comply with the scheme of tokenisation as an alternative. 

What is meant by Tokenisation?

Tokenisation is the process of converting the card details of the customer into a unique alternate code that will be unique for every cardholder, the device used and the token requestor. So from the 1^st January 2022 onwards the customer will either have to fill in the full 16 digit card number with expiry date and CVV or avail the secondary option of Token.

Every time a card holder wishes to make a transaction using his/her card, the merchant will initiate the process of tokenisation wherein the explicit consent will be sought from the card holder to tokenise his card. If the card holder accepts the request to tokenise the card, the merchant will direct the acceptance to the card network which in turn will create a token for the card and send it as a proxy to the merchant for completing the transaction.

It must be noted that one token is unique to one card and one merchant only. So every time a transaction is made to another merchant or while using a different card, the process of tokenisation shall begin afresh.   

Why was the need felt for tokenisation?

With the increasing number of e-commerce websites and apps propping up, the customers are taking the online route to make payments. The sites of the merchants where the customers place their orders usually store their card details and other sensitive information in their database for providing ease to their customers in case they wish to place further orders in the future. Storing of the customers data provides ease to the customers to place orders quickly without the need to type in the 16 digit long code and other relevant details at every transaction they make.

However, this process is fraught with dangers such as data leakage of the sensitive information of the consumers. In order to protect the sensitive information of the customers, the RBI has come up with guidelines which mandate merchants to delete the already stored card information of the customers with them. The RBI also provides a scheme of tokenisation which will convert the card number into a token which is a unique cryptic code as a measure of safety for every transaction made via cards and the merchants will not be able to get hold of the actual information of the customers anymore and prevent any cases of financial frauds.

How secure is the tokenisation of card?

Tokenisation converts the card details in an encrypted code which reduces to a great extent the chances of data leakage and consequent risk of frauds can be curtailed.

The current system of making online transactions involves using of 16 digit number along with card expiry date, CVV number and One Time Password to complete the process of making the payments. These details are submitted to the merchant database every time the transaction is made.

Many websites and apps force their customers to submit their card details while making online payments. The submission of card details of the card holder with a number of merchants at multiple websites and apps exposes the card holder with the risk of leakage of sensitive card information.

There have been many instances in the recent past where the card information stored with the merchants has leaked on dark web and other platforms. Data leakage can have irreparable consequences because many banking jurisdictions do not ask for Additional Factor of Authentication while making card transactions. This has increased the chances of financial frauds and other crimes.

Conclusion

Some concerns have been raised from both the stakeholders such as the card holders are worried that they will have to remember their 16 digit number which will be difficult for them to type in every time they enter into a transaction and cause of concern for the merchants is that it will affect their revenue because their customer experience will be ruined because of a complicated process of typing in hard to remember card numbers. However, RBI has assured all of them that none of their concerns hold merit. The RBI claims that the card holders are not required to remember their 16 digit code every time they make online transactions because of the convenience provided by the tokenisation rule. All that the customer needs to do is enter the token and complete a simple AFA process to go through the transaction process.

Read our article:RBI allows Payments Banks and Small Finance Banks to undertake government agency business