Under the new rules customers will have to enter their credit/debit card details every time they make an online transaction, or they can opt for tokenisation
In order to make online payment more secure and to enhance debit/credit card security, the Reserve Bank of India (RBI) has asked online merchants and payment gateways to erase sensitive data of customers saved on their end. Under the new rules, which come into effect from 1 January 2022, merchants have to use encrypted tokens to carry out the transaction.
It simply means that the customers have to enter their credit/debit card details every time they make an online transaction, or they can opt for tokenisation. With the date approaching, banks have started notifying their customers about RBI’s new guidelines.
What does the new rule say?
In March last year, the RBI issued new guidelines to enhance data security for customers. As per the guidelines, merchants were restricted from saving credit/debit card information on their websites. In September this year, the regulatory body issued a fresh notice and ordered all companies in India to implement the guidelines and purge saved debit/credit card data from their system from 1 January, 2022. The RBI also offered companies an option to tokenise online transaction.
What is tokenisation?
When the debit/credit card is used to make an online transaction, the execution of the transaction is based on information such as 16-digit card number, the CVV, and the card expiry date, along with the One Time Password (OTP). For a successful transaction, it is mandatory to enter the above-mentioned information correctly.
On the other side, in tokenisation the actual card details is replaced with a unique alternate code known as ‘token’. There will be a new token for each combination of card, device, and token requestor. The tokenisation process will lead to the customer’s card details being kept in a secure manner, with merchants being unaware of the complete account details of the user.
What will the new rules entail?
After making the first payment with any merchant, customers have to provide their consent with an additional factor of authentication (AFA). After completing the AFA the customers can proceed with the payment by entering their card’s CVV and OTP.
The tokenisation will work in the following way:
- When you begin a purchase with a merchant, the merchant begins tokenisation by requesting for customer’s consent to tokenise their debit/credit card.
- After customer’s approval, the merchant sends a tokenisation request to the card network.
- The card network then create a 16-digit token for the particular card number and sends it back to the merchant
- The merchant saves the token for future transactions.
- The customer has to approve the transaction with OPT and CVV number
- Customers will have to follow the whole procedure again to make payment to different merchant/ or from a different card.