To make online payments more safe and secure, Reserve Bank of India (RBI) has asked all merchants and payment gateways to remove sensitive customer data on cards registered on their end and use instead encrypted tokens for carrying out transactions. The new rule will come into effect from January 1, 2022.
Banks have started to inform their customers of the changes. “Effective January 1, 22!” Your HDFC bank card details saved on the merchant website / app will be deleted by merchants in accordance with the RBI Mandate for Stronger Card Security. To pay every time, enter full card details or opt for tokenization, “is a text message HDFC Bank has been sending to customers since last week.
What did RBI say?
RBI issued guidelines in March 2020 stating that merchants will not be allowed to save card information on their websites to strengthen data security. It released new guidelines in September 2021 giving businesses until the end of the year to comply with regulations and giving them the option to tokenize.
The RBI had ordered all Indian businesses to purge stored credit and debit card data from their systems as of January 1, 2022.
What is tokenization?
When you use your card, debit or credit, for a transaction, the execution of the transaction is based on information such as 16-digit card number, card expiration date, CVV as well as the word one-time passcode or transaction PIN. In fact, a transaction is only successful if all of these variables are entered correctly for a specific transaction. Tokenization refers to replacing the actual details of the card with a unique alternate code called a “token”. This token is unique for each combination of card, token requestor, and device.
What will change from January 1, 2022
From January, when you make the first payment to a merchant, you will need to give them your consent with an additional authentication factor (AFA). Once done, you will complete the payment by entering your card’s CVV and OTP.
What cardholders need to do starting next month
- You start a purchase from a merchant
- The merchant initiates the tokenization by asking for your consent to tokenize the card.
- Once you have given your consent, it sends a tokenization request to the card network.
- The card network creates a token as a proxy of the card number and sends it back to the merchant.
- To make a payment to another merchant or from another card, the tokenization has to be redone.
- The merchant saves the token for subsequent transactions.
- You approve transactions with CVV and OTP
Is the tokenization of the card secure?
When card details are saved in an encrypted manner, the risk of fraud or data compromise is reduced. To put it simply, your risk is reduced when you share your debit / credit card details in the form of a token.
“In fact, some merchants require their customers to store card details. Having these details available to a large number of merchants greatly increases the risk of card data theft. In the recent past, there have been incidents where card data stored by some merchants has been compromised / leaked. Any CoF data leak can have serious repercussions as many jurisdictions do not require AFA for card transactions. Stolen card data can also be used to perpetrate fraud in India through social engineering techniques, ”RBI said in its statement.
The initiative is expected to make card transactions safer, more secure and convenient for users
No need to memorize 16-digit debit, credit card numbers
The central bank had said there would be no obligation to enter card details for every transaction under the tokenization deal.
“Contrary to some concerns expressed in some sections of the media, it would not be mandatory to enter card details for every transaction as part of the tokenization deal. The Reserve Bank’s efforts to deepen digital payments by India and making these payments safe and efficient will continue, ”the RBI statement noted.
Never miss a story! Stay connected and informed with Mint. Download our app now !!