In what RBI has mentioned as a step towards making online payments safer and secure, no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data.?Any such data stored previously shall be purged.?
All the associated entities have been asked to remove sensitive customer data on debit and credit?cards saved on their end, and instead, use encrypted tokens to carry transactions w.e.f. January 1, 2022.
To work towards the same, banks, credit card issuers, payment gateways and merchants have started informing their customers about the changes. As per the communication from them, consumers are being informed that their saved card details will get deleted by the merchants effective January 1, 2022. To pay each time next month onwards, you would either need to enter full card details or opt for tokenization. The tokenization of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA).
This is not a sudden announcement by the RBI. In March 2020, the RBI had issued guidelines stating that in order to boost data security, merchants will not be allowed to save card information on their websites/apps. Then later in September 2021, RBI issued fresh guidelines giving the companies a deadline until the end of the year 2021 to comply with the regulations and offering them the option to tokenize.
Tokenization refers to the replacement of actual card details with a unique alternate code called a token, which is unique for each combination of card, device and token requester. So, w.e.f. January 1, 2022, you would either have to fill in all the card details like 16 digit card number, expiry date and CVV or opt for tokenization.?
For the latter, the merchant would initiate the tokenization for a particular purchase on your card by asking for your consent to tokenize the card. Once you give your consent, the merchant sends a tokenization request to the card network, who then creates a token as a proxy to the card number and sends it back to the merchant. One token is limited to just one card and one merchant. Implying, the next time you need to make payment to a different merchant or different card, tokenization has to be done again.
When your card details are saved in an encrypted manner through tokenization, the risk of fraud or compromised data gets reduced to a great extent.?
As per?RBI's?press release,?some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen.?
In the recent past, there were incidents where card data stored by some merchants have been compromised/leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
For more of such interesting financial content,?click here.
Click here?to download CRED