New credit, debit card rules: Tokenisation extended by 6 months
New Delhi, Dec 23: The Reserve Bank of India has extended the card on file tokenisation deadline by six months. The new rules for credit and debit cards will come into effect from June 30 2022.
"In light of various representations received in this regard, we advise...the timeline for storing of CoF data is extended by six months, ie., till June 30, 2022 and post this, such data shall be purged," RBI said in a notification.
"Industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/ loyalty programme, etc.) that currently involves/requires storage of CoF data by entities other than card issuers and card networks," the RBU also said.
These rules were to come into effect starting January 1 2022. One of the rules says that merchants cannot store card number, CVV and expiry dates while processing online transactions.
In order to enhance security of online transactions merchants such as Amazon, Flipkart an Tomato have been asked to delete card information stores earlier.
Further RBI has allowed Visa, RuPay and Mastercard to issue tokens on request on behalf of the card issuing bank and companies. This system is called tokenisation.
Card tokenisation replaces card details by a unique code or token allowing purchases to take place without important and sensitive details are not exposed.
This is a not a new concept and the concept is being used by the United Payment Interface (UPI). It is considered to be one of the safest online payment systems. This would hugely benefit customers who shop online. The RBI told the merchants to create a token reference number against each token.
If a fraud is detected the same token cannot be used again and users will have to request for a new token. Tokenisation would work only for domestic transactions. In this case customers will not have to remember the token number which will be a 16 digit number as is the case for credit and debit cards.
In fact the user will not know the token details.
The tokens will be issued by the card networks and they will inform the issuing banks about the same. Moreover the token will be merchant specific. If a consumer has one token and he or she shops from three different merchants, then three different tokens will be issued.
In case a customer does not have a token then he or she will have to enter the card details every time to shop. A portal will be created for card holders and they will be able to delete tokens.