The RBI in March last year came up with new rules to enhance the security of online transactions made using debit and credit cards.
Online merchants and financial payments companies have been representing to RBI to extend the deadline saying that they lack the infrastructure necessary to comply with the RBI’s Order by December 31, 2021. In light of various representations, Reserve Bank of India on Thursday 23rd December 2021, extended earlier deadline of December 31, 2021 for card tokenisation by six months to June 30, 2022.
Post June 30, 2022, merchants will not be able to store card information of users and will have to replace each card number with a randomised token number.
In light of various representations received from Industry Stakeholders in this regard, RBI has advised under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007) as under :
- the timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged; and
- in addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks.
(RBI/2021-2022/142 - CO.DPSS.POLC.No.S-1211/02-14-003/2021-22 dt. December 23, 2021)
What tokenisation means and how it will affect card users?
What is tokenisation?
In the case of digital transactions, “Tokenisation refers to replacement of actual card details with an alternative code called the ‘Token’, which uniquely combines card, device, token requestor etc.” Credit card tokens are created to protect sensitive data of customers by substituting it with a series of algorithmically generated numbers and letters.
Merchants, payment gateways cannot have this data, only an issuer and a network provider are allowed now.
CoFT ( Card-on-File Tokenisation) replaces card details with a ‘token’, which will be unique for every debit or credit card and merchant platform where the card is used.
In a bid to increase customer safety and prevent fraud, RBI guidelines for payment aggregators (PA) and payment gateways (PG) state that PAs and merchants shall not store card credentials of customers in their database starting January 1, 2022. This date is extended to 30th June 2022. RBI wanted to put an end to the practice of online merchants storing the card details of customers, which the Central bank believed could lead to misuse of cards by fraudsters.
In the absence of an alternative such as CoF Tokenisation, customers who wish to use their credit or debit cards will have to enter their details afresh for each transaction, including their 16-digit card number, card expiry date and card verification value (CVV).
How will merchant sites work without card data?
Generally, this is how it works: When the bank and card network receive a debit request from a payment gateway, they approve based on the customer’s input on the merchant site. Mandar Agashe, founder, vice-chairman, and managing director, Sarvatra Technologies. explained that it is not the card on file (CoF), or saved card details, that is used to complete a transaction, a token is used instead. At the back-end, the token will be replaced with card data, for the transaction to go through. “You can’t just use the token anywhere. It is specific for that consumer, that merchant, and that card,” said Agashe.
How does this enhance the security of online transactions?
Information like credit card number, address, account number, can be easily misused if it falls into the wrong hands. However, with tokenisation, merchants can move data between networks without actually exposing such information.
CoFT refers to the replacement of actual card details with a code called a ‘token’, which will be unique for every debit or credit card and merchant platform where the card is being used.
For what kind of transactions will tokenisation apply?
“Tokenisation will be available for all ‘Card Not Present’ transactions, or online transactions,” said Ravi Buttula, head of merchant acquiring solutions at Wibmo. According to the RBI’s norms, tokenisation has to be done based on customer consent, to be validated through an additional factor authentication. The same bank and card network can do the tokenisation, or even de-tokenise the details based on customer request.
How will customers be impacted?
At present, while shopping online your card data is stored on the merchant website, and the next time you simply choose the card, enter the CVV number and authenticate the transaction with a one-time password. According to a previous RBI guideline, the merchant website will not be allowed to store the card data from January 1. Which means you would have had to type out the details for every transaction.
What is the problem with the RBI’s Order?
Critics of the RBI’s Order believe that online card transactions are already secure enough since customers need to authenticate transactions through CVV, OTP and other means. Online merchants have also been complaining about the time given by the RBI to comply with its orders, which they believe is too little. This, they argue, will affect their business as customers whose card details are purged may refuse to go through the hassle of having to enter their card details each time they make a purchase. Any failed payments will result in a revenue loss for players across the ecosystem as well as customers.
Customers may also decide not to tokenise their cards and simply opt to switch to cash or other forms of online payment that involve less hassle. The RBI may thus inadvertently push customers away from using cards as a mode of payment. It should be noted that foreign card companies such as Visa and Mastercard have already complained that Indian authorities have been favouring domestic payment methods such as the UPI and RuPay through their policies.
Work that is yet to be done
Beyond PGs (Payment Gateways) and card networks creating tokens, work needs to be completed on two more fronts. One is integrating multiple internal systems for various kinds of payments, including EMIs and recurring payments, to tokenisation. The other is customer education.
All card networks as well as major payment service providers such as Razorpay, PayU, PhonePe and Juspay are ready with their tokenisation products. While major merchants are already prompting customers to tokenise their cards, many smaller merchants and PGs, too, are yet to be fully integrated into the system.
What to expect
With gaps yet to be filled, the industry expects initial disruptions, and a short-term revenue loss as customers may switch to cash payments while they come to terms with the sea change in a process that has been around for years.
Companies are largely expected to comply with RBI’s Order by next year’s deadline.
Please click to read : Restriction on storage of actual card data [i.e. Card-on-File (CoF)]
Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services
Tokenisation – Card Transactions : Extending the Scope of Permitted Devices ;
Tokenisation – Card transactions &
Guidelines on Regulation of Payment Aggregators and Payment Gateways (Updated as on November 17, 2020)
Source: rbi.org.in. Livemint, Business Standard, Money Control & Business Line.