The Reserve Bank of India (RBI) has issued an order to restrict merchant sites from tokenisation, which means online platforms won't be allowed to save the card details of customers starting December 31, 2021.
“With effect from January 1, 2022, no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data,” the central bank said in a statement on Tuesday and added that any such data stored previously shall be purged.
What is tokenisation?
Tokenisation is the process of turning sensitive data into ‘non-sensitive’ data called "tokens". These tokens convert a debit or credit card holder’s 16-digit account number into a digital credential that can’t be stolen or reused. This token — representing the customer’s card data — is saved in the merchant’s payment system and processes the transaction. Even in cases of data breach when payment tokens fall into wrong hands, the PAN stays secure and thus, the tokens are useless to cybercriminals.
In its latest notification, the RBI has said that tokenisation has to be done based on customer consent and is "to be validated through an additional factor authentication".
How will RBI's latest decision impact customers?
Currently, almost all merchant platforms carry out tokenisation. This means when you shop using your credit/debit card, the platform stores your data in the form of tokens. After RBI’s latest decision, these sites won't be able to store card credentials of a shopper in any form and the customers will have to feed in their complete card details every time they make a transaction.
For instance, when you shop on an e-commerce site for the first time, you are asked to feed your 16-digit debit card number and then the CVV code. However, when you buy another item from the same platform, you see that the site has already stored your 16-digit card number and you just have to put in your CVV and then the OTP is generated by the bank to make the purchase.
In fact, some platforms don't even require you to put in the CVV every time you shop. For instance, if you take a subscription to an app from the Apple Store, the new models of iPhones just scan your face and complete your purchase. So, essentially, you are buying products with a single click.
With the new RBI order, this won't be the case anymore and a shopper will have to put in their entire card details every time they shop for something.
Making online shopper more secure
The new RBI norm extends to every device that connects with the internet -- mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. and to the payment aggregators as well as merchants on-boarded by them.
The 16-digit card number that the customers will have to key in every time they shop will reach the merchant in a state of random numbers unrelated to the numbers feeded.
The payment aggregators had been lobbying to keep card details saved with them to ensure that customers get the comfort of one-click purchases. They argued that the industry follows the best safety practices and if the RBI has concerns, it can always demand stricter norms. Level 1 is the highest standard available under PCI DSS, or Payment Card Industry Data Security Standard.
However, the RBI has refused to reconsider.
Nonetheless, merchant sites have been allowed to store the last four digits of the actual card number and card issuer’s name “in compliance with the applicable standards” for transaction tracking and reconciliation purposes.
It has been found that people tend to shop more when they have the choice of making the purchase with just a click.
(Edited by : Kanishka Sarkar)