Online transactions using debit and credit card is not only convenient but it saves a lot of time as well. While non-cash transactions simplify processes, they also make you vulnerable to fraud. In order to ensure that your transactions remain secure, the Reserve Bank of India (RBI) has made the tokenisation of card transactions rule mandatory from next year.
“With effect from January 1, 2022, no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data. Any such data stored previously shall be purged,” RBI said in its circular.
What is tokenisation
Tokenisation refers to the replacement of actual card details with a unique alternate code called the “token”, which shall be unique for a combination of card, token requestor and device (referred hereafter as “identified device”).
What happens now?
When you shop on an e-commerce site for the first time, you are asked to input your 16-digit debit/credit card number and then the CVV. However, when you buy another item from the same portal, you see that your card number is already stored on their website and you just have to put in your CVV and then the OTP is generated by the bank to make the purchase.
How will customers benefit from RBI’s new rule?
Many merchants and e-commerce entities store customers debit, credit card details, which increases the risk of card data being stolen. Now with RBI allowing tokenisation of cards from 1 January 2022, while making payments, this can be avoided.
What happens after tokenisation
Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of the original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out from the token and vice versa, by anyone except the card network. The integrity of the token generation process shall be ensured at all times.
The actual card data, token and other relevant details shall be stored in a secure mode. Token requestors shall not store PAN or any other card detail.
How can customers register for tokenisation
Registration of card on token requestor’s app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc.
AFA validation during card registration, as well as, for authenticating any transaction, shall be as per extant Reserve Bank instructions for authentication of card transactions.
Customers shall have the option to register / de-register their card for a particular use case, i.e., contactless, QR code-based, in-app payments, etc.
Customers shall be given the option to set and modify per transaction and daily transaction limits for tokenised card transactions.
How many such transactions will be allowed in a day/week/month may be put in place by card issuers/card networks as considered appropriate, for tokenised card transactions.
How secure will it be?
Secure storage of tokens and associated keys by token requestor on successful registration of card shall be ensured. Card issuers shall ensure easy access to customers for reporting a loss of “identified device” or any other such event which may expose tokens to unauthorised usage. Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys.
The new RBI norm extends to every device that connects with the internet — mobile phones, tablets, laptops, desktops, wearables (wristwatches, bands, etc.), Internet of Things (IoT) devices, etc.