How you transact online using cards is about to change starting October 1 because of new RBI rules kicking in. Merchants will no longer be allowed to store customers’ card data under the new card-on-file tokenisation guidelines.
This is RBI’s idea for safe online payments. Tokenisation refers to replacing actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device. These tokens can be used for online transactions, mobile point-of-sale (POS) transactions or in-app transactions.
TOKENISATION IS VOLUNTARY
Customers can choose whether or not to get their card tokenised. If not tokenised, starting from October 1, 2022, cardholders will just have to enter the full card number, CVV, and expiry date of the card for each online transaction.
No charges will be applicable for tokenisation of the credit and debit cards.
HOW DOES ONE TOKENISE THEIR CARD?
Step 1: Visit the app/website where you want to make a transaction
Step 2: At the payment page, select your saved card and provide CVV or enter card details if not saved
Step 3: Tick mark the check box saying “Secure your card” or "Save Card as per RBI guidelines"
Step 4: Enter the OTP received on your registered mobile number
Step 5: Done, your card is tokenised.
IS TOKENISATION REALLY SAFER?
To understand, picture this. Currently, if you are shopping online, let’s say, booking a travel ticket, you must key in your 16-digit credit or debit card details along with your 3-digit CVV number with the travel merchant. The merchant then saves this data on its website with your permission so that the next time you use the website, you can quickly enter your CVV and OTP to complete the transaction without entering the 16-digital card number again.
But it is this data storage on websites that could make the customers vulnerable to online hacks and frauds.
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Your card details are only saved with the bank and the authorised card network like Visa Mastercard etc. RBI has told merchants to create a ‘token reference number’ against each token. Only these reference numbers are stored by the merchants. Once a fraud is detected, the same token cannot be used again. Users will have to request a new token.
MIGHT DISRUPT SMALL BUSINESSES
While this is a win for customers, in the immediate future, it may disrupt some small businesses. The entire system has to upgrade to comply with tokenisation rules, and there could be some challenges with tech hurdles initially until the system stabilises.
To begin with, APIs that allow software and services to interact with each other and help verify and pull data from databases need to be ready. This has to happen both at the bank and card network's end, and only once banks, etc., are ready can merchants certify their processes.
Recurring payments may be the most impacted. Merchants will also have to ensure all customer data — which is not always stored in a single database — is deleted. For smaller merchants, it could mean a temporary loss of customers as they invest in the software and achieve compliance.
But ready or not, the system has to adopt tokenisation starting October 1.