{"id":4748,"date":"2021-12-23T21:03:00","date_gmt":"2021-12-23T15:33:00","guid":{"rendered":"https:\/\/yourcareerheights.com\/?p=4748"},"modified":"2021-12-24T23:35:52","modified_gmt":"2021-12-24T18:05:52","slug":"rbi-extends-card-tokenisation-deadline-by-six-months-to-june-30-2022-all-you-want-to-know-about-card-tokenisation","status":"publish","type":"post","link":"https:\/\/yourcareerheights.com\/?p=4748","title":{"rendered":"RBI extends card tokenisation deadline by six months to June 30, 2022 – All you want to know about Card Tokenisation"},"content":{"rendered":"
\n
\n\t

\"\"<\/p>\n

\n

The RBI in March last year came up with new rules to enhance the security of online transactions made using debit and credit cards.<\/h3>\n<\/div>\n

Online merchants and financial payments companies have been representing to RBI to extend the deadline saying that they lack the infrastructure necessary to comply with the RBI\u2019s Order by December 31, 2021. In light of various representations, Reserve Bank of India on Thursday 23rd December 2021, extended earlier deadline of <\/em>December 31, 2021<\/em> for\u00a0card tokenisation\u00a0by six months to June 30, 2022.<\/h3>\n

Post June 30, 2022, merchants will not be able to store card information of users and will have to replace each card number with a randomised token number.<\/h3>\n

In light of various representations received from Industry Stakeholders in this regard, RBI has advised under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007) as under :<\/strong><\/em><\/p>\n

    \n
  1. the timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged; and<\/strong><\/em><\/li>\n
  2. in addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward \/ loyalty programme, etc.) that currently involves \/ requires storage of CoF data by entities other than card issuers and card networks.<\/strong><\/em><\/li>\n<\/ol>\n
    (RBI\/2021-2022\/142 - CO.DPSS.POLC.No.S-1211\/02-14-003\/2021-22 dt.\u00a0December 23, 2021)<\/pre>\n
    What tokenisation means and how it will affect card users?<\/strong><\/h4>\n
    What is tokenisation?<\/strong><\/p>\n
    In the case of digital transactions, \u201cTokenisation refers to replacement of actual card details with an alternative code called the \u2018Token\u2019, which uniquely combines card, device, token requestor etc.\u201d\u00a0 Credit card tokens are created to protect sensitive data of customers by substituting it with a series of algorithmically generated numbers and letters.<\/strong><\/em><\/p>\n
    Merchants, payment gateways cannot have this data, only an issuer and a network provider are allowed now<\/strong><\/em>.<\/p>\n
    CoFT<\/strong> ( Card-on-File Tokenisation<\/strong><\/em>) replaces card details with a \u2018token\u2019, which will be unique for every debit or credit card and merchant platform where the card is used.<\/p>\n
    In a bid to increase customer safety and prevent fraud,\u00a0RBI guidelines for payment aggregators (PA) and payment gateways (PG)<\/a> state that PAs and merchants shall not store card credentials of customers in their database starting January 1, 2022. This date is extended to 30th June 2022. RBI\u00a0wanted to put an end to the practice of online merchants storing the card details of customers, which the Central bank believed could lead to misuse of cards by fraudsters.<\/p>\n
    In the absence of an alternative such as CoF Tokenisation, customers who wish to use their credit or debit cards will have to enter their details afresh for each transaction, including their 16-digit card number, card expiry date and card verification value (CVV).<\/p>\n
    How will merchant sites work without card data?<\/strong>
    \n    \"\"<\/a>Generally, this is how it works: When the bank and card network receive a debit request from a payment gateway, they approve based on the customer\u2019s input on the merchant site. Mandar Agashe, founder, vice-chairman, and managing director, Sarvatra Technologies. explained that it is not the card on file (CoF), or saved card details, that is used to complete a transaction, a token is used instead. At the back-end, the token will be replaced with card data, for the transaction to go through. \u201cYou can\u2019t just use the token anywhere. It is specific for that consumer, that merchant, and that card,\u201d said Agashe.<\/p>\n
    How does this enhance the security of online transactions?<\/strong>
    \nInformation like credit card number, address, account number, can be easily misused if it falls into the wrong hands. However, with tokenisation, merchants can move data between networks without actually exposing such information.<\/p>\n
    CoFT refers to the replacement of actual card details with a code called a \u2018token\u2019, which will be unique for every debit or credit card and merchant platform where the card is being used<\/strong><\/em>.<\/p>\n
    For what kind of transactions will tokenisation apply?<\/strong>
    \n\u201cTokenisation will be available for all \u2018Card Not Present\u2019 transactions, or online transactions,\u201d said Ravi Buttula, head of merchant acquiring solutions at Wibmo. According to the RBI\u2019s norms, tokenisation has to be done based on customer consent, to be validated through an additional factor authentication. The same bank and card network can do the tokenisation, or even de-tokenise the details based on customer request.<\/em><\/p>\n
    How will customers be impacted?<\/strong>
    \nAt present, while shopping online your card data is stored on the merchant website, and the next time you simply choose the card, enter the CVV number and authenticate the transaction with a one-time password. According to a previous\u00a0RBI\u00a0guideline, the merchant website will not be allowed to store the card data from January 1. Which means you would have had to type out the details for every transaction.<\/strong><\/em><\/p>\n
    What is the problem with the RBI\u2019s Order?<\/strong><\/p>\n
    Critics of the RBI\u2019s Order believe that online card transactions are already secure enough since customers need to authenticate transactions through CVV, OTP and other means. Online merchants have also been complaining about the time given by the RBI to comply with its orders, which they believe is too little. This, they argue, will affect their business as customers whose card details are purged may refuse to go through the hassle of having to enter their card details each time they make a purchase. Any failed payments will result in a revenue loss for players across the ecosystem as well as customers.<\/p>\n
    Customers may also decide not to tokenise their cards and simply opt to switch to cash or other forms of online payment that involve less hassle. The RBI may thus inadvertently push customers away from using cards as a mode of payment. It should be noted that foreign card companies such as Visa and Mastercard have already complained that Indian authorities have been favouring domestic payment methods such as the UPI and RuPay through their policies.<\/p>\n
    Work that is yet to be done<\/strong><\/p>\n
    Beyond PGs (Payment Gateways) and card networks creating tokens, work needs to be completed on two more fronts. One is integrating multiple internal systems for various kinds of payments, including EMIs and recurring payments, to tokenisation. The other is customer education.<\/p>\n
    All card networks as well as major payment service providers such as\u00a0Razorpay<\/a>,\u00a0PayU<\/a>,\u00a0PhonePe<\/a> and Juspay are ready with their tokenisation products.\u00a0While major merchants are already prompting customers to tokenise their cards, many smaller merchants and PGs, too, are yet to be fully integrated into the system.<\/p>\n
    What to expect<\/strong><\/p>\n
    With gaps yet to be filled, the industry expects initial disruptions, and a short-term revenue loss as customers may switch to cash payments while they come to terms with the sea change in a process that has been around for years.<\/p>\n
    Companies are largely expected to comply with RBI\u2019s Order by next year\u2019s deadline<\/em>.<\/p>\n
    Please click to read :\u00a0Restriction on storage of actual card data [i.e. Card-on-File (CoF)]\u00a0<\/a>
    \n    Tokenisation \u2013 Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services<\/a>
    \n    Tokenisation \u2013 Card Transactions : Extending the Scope of Permitted Devices <\/a>;
    \n    Tokenisation \u2013 Card transactions<\/a> &
    \n    Guidelines on Regulation of Payment Aggregators and Payment Gateways (Updated as on November 17, 2020)<\/a><\/p>\n
    Source: rbi.org.in. Livemint, Business Standard, Money Control & Business Line.<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"
    Reserve Bank of India on Thurday extended card tokenisation deadline by six months to June 30, 2022. The earlier deadline was December 31, 2021. Post June 30, 2022, merchants will not be able to store card information of users and will have to replace each card number with a randomised token number.  <\/p>\n","protected":false},"author":1,"featured_media":4750,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1004,1003,38,1044,220,221,71,45],"tags":[1045,40],"class_list":["post-4748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-account-aggregator","category-account-aggregator-system","category-banking","category-card-tokenisation","category-cashless-economy","category-digital-banking","category-payment-systems","category-rbi","tag-card-tokenisation","tag-rbi"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/yourcareerheights.com\/wp-content\/uploads\/2021\/12\/Card-tokenization.png?fit=2236%2C884&ssl=1","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=\/wp\/v2\/posts\/4748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4748"}],"version-history":[{"count":5,"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=\/wp\/v2\/posts\/4748\/revisions"}],"predecessor-version":[{"id":4755,"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=\/wp\/v2\/posts\/4748\/revisions\/4755"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=\/wp\/v2\/media\/4750"}],"wp:attachment":[{"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yourcareerheights.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}