Debit, Credit Card Tokenisation: The Reserve Bank of India or the RBI, being thhe central bank of the country, is in charge of protecting the security of all citizens in India who carry out bank transactions. With an aim to protect the security of customers, the RBI last year issued tokenisation guidelines whereby merchants were prohibited from storing the data of customers’ cards on their servers with effect. The central bank mandated the adoption of card-on-file (CoF) tokenisation applicable to domestic online purchases. The deadline of the countrywide adoption to card tokenisation was extended by six months from January 1 to July 1 2022, to ensure a smooth shift from the current situation.
What is Debit Card, Credit Card Tokenisation?
With the new rule, online merchants cannot store your card data, but only your bank and card provider will be able to access it. Under this, a card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.
This means that when you start purchase of an item with a merchant, the merchant will initiate tokenisation. It will ask for your consent to tokenise your card. Once you give consent, the merchant will send a tokenisation request to the card network. The card network will then create a token, which will act as a proxy to your 16-digit card number, and send it back to the merchant. The merchant will save this token for future transactions. You will also have to enter your CVV and OTP like before to approve transaction. If you want to use another card, the same process is to be followed again.
However, this process is not mandatory and a customer can choose whether or not to let his / her card tokenised. In that case, the customer will have to re-enter all card details while purchasing anything online.
RBI Card Tokenisation: A Timeline
Earlier, the RBI had said that the new card tokenisation rule will be applicable from January 1, 2022 onwards. However, after receiving requests from merchants, it extended the date by six months, saying that it will come into effect from July 1. “In light of various representations received in this regard, we advise…the timeline for storing of card on file (CoF) data is extended by six months till June 30, 2022; post this, such data shall be purged,” it said.
Following this, the payment merchants have started sending notifications to customers regarding card tokenisation as the deadline approaches. In a press conference after its June MPC meet announcement, RBI deputy governor T Rabi Sankar said that the country’s payment ecosystem was ready to implement the move.
“With the weeks to go for meeting the tokenisation deadline, progress has been satisfactory. About 16 crore tokens have already been created, this will pick up nearer to the deadline. Over the last several months our teams have been constantly discussing with all stakeholders to ensure that the process of tokenization is implemented smoothly,” said Rabi Sankar at a press conference after the RBI MPC meet decision announcement on Wednesday.
“I really don’t think there is any need to speculate on whether or not the timeline will be extended. There are a few collateral issues that have come to our notice, which we will adjust as we go. These are new issues that crop up every time you shift a regime,” Rabi Sankar told reporters.
What is Going to Happen from July 1?
Post June 30, that is from July 1, credit and debit card data available with payment merchants will be purged, the RBI said. This means that customers will have to re enter their card details every time they want to purchase something online, if they have not consented to card tokenisation. If a customer agrees to do card tokenisation, on the other hand, he or she will be required to explicitly do it and enter just the CVV and OTP details while making a transaction.