In order to improve the security and safety of online transactions processed via Debit/Credit Cards, the Reserve Bank of India has introduced new rules where online merchants and payment gateways will have to erase sensitive data of customers saved on their end. Moreover, will merchants have to use encrypted tokens to carry out the transaction. To get into details, here are the top 10 things you should know about the new rules introduced by RBI for online card transactions:
When did RBI first introduce guidelines to prevent storing card details?
Back in March 2020, RBI issued guidelines which restricted merchants from saving customers’ card details in order to boost security. Then in September this year, the regulatory body further enhanced its guidelines on card tokenisation services and said, “With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged”.
What was the need to do introduce such guidelines?
RBI believes that over the years, the volume and value of transactions made through cards have increased manifold. To improve user convenience and increase the security of card transactions, such guidelines need to be introduced so as to provide a more secure experience.
What do the new rules state and when are they coming into effect?
If you often visit e-commerce sites for shopping or for ordering food, now you might not be able just dash through your transactions because as per new rules, users will not be able to save any card details on any e-commerce platform such as Amazon, Flipkart or any other online delivery services as well, which includes Swiggy, Zomato, etc. Any time a user wants to carry out a transaction, he/she will have to enter the card details every time.
Moreover, if you have a credit card, it doesn’t mean you are lucky as the new RBI guidelines must be implemented by companies for both credit and debit cards meaning you will have to enter the details for all types of cards and not just debit cards. The new rules by RBI aren’t applicable to international transactions and only to domestic card and transactions.
RBI’s new notification states that the timeline for storing the card details has been extended by six months. This means that where the rules were being implemented on 1st January 2022 earlier, now the new rules will come into effect from July 1, 2022.
Is there a workaround if one wants to save the card details?
Fortunately, there is a workaround using which one will be able to save the cards on the service. If users don’t want to enter the details each time, they can allow the service to save the card details where e-commerce companies will “tokenise” the cards.
Here, Tokenisation refers to the process where your Card network will generate a 16-digit token for your card upon the request of the e-commerce service. Then, this 16-digit code will be sent to the e-commerce service so it can store it and use it for future transactions. This code will be unique to each card and using this way, your card details aren’t exposed while a transaction takes place.
After tokenisation of the card, users will have to verify the card using CVV and OTP as they currently do. Further, Tokenisation is currently available only for Mastercard and Visa-issued cards. Tokenisation of card isn’t mandatory as a customer can choose not to save the card. Moreover, there’s no charge or fees involved for tokenisation. Those who choose to save the details, E-commerce sites will show last four digits of the cards that have been saved by the user for easy identification.
Read More: Crypto ads from 7 companies banned in UK
Are there any Pros and Cons to the new guidelines?
Every new set of guidelines introduced by the RBI has had Pros and Cons in the past and these new rules for card transactions have it too. While the Pros obviously include a more secure experience while initiating online transactions as your card details will now won’t be exposed to a service, the cons include the hassle where you’ll have to enter the card details on every site once again starting next year.
Another added security feature of tokens is that they are irreversible and can’t be traced back to their original data unless they are matched with additional data. This means that even if the servers of the service are hacked and these tokens are leaked, customers’ card details will not be revealed. It also takes away the pressure from e-commerce companies to safeguard users’ sensitive card details.
What are the Netizens and other services saying?
Netizens have been criticising RBI, not for the move but because of the deadline getting extended by 6 months. One of the users states that the common people have to fight for their matters while for companies, such an extension is given even before the companies request for it. People are also complaining of RUPAY card network being not supported for tokenisation as of now.
Further, people have already been complaining regarding RBI’s earlier mandate which broke recurring payments for subscriptions and didn’t allow the services to automatically renew the subscription. Because of this, a bunch of services including Netflix, Apple Music, Prime Video, etc stopped auto-renewing subscriptions for users that has become a headache for many.
As for other services, Paytm has responded that the Paytm Payment Gateway has already partnered with a host of network providers such as Visa, MasterCard, etc, and online businesses can rely on it to provide their customers with a smooth tokenisation experience. “RBI’s directive is a healthy development for the industry as it boosts confidence in online shoppers to make digital payments without any fear”, it said.
Further, The Alliance of Digital India Foundation (ADIF) also welcomed the move by RBI stating that it should ensure readiness across all banks in a timely manner. “We also call upon the RBI to take steps to ensure readiness across all banks. Should bank readiness not come through in a timely and robust manner, we stand the risk of finding ourselves in the same predicament again in June as now,” said Sijo Kuruvilla George, Executive Director, ADIF.
In our opinion, we feel this was a move that was much needed to secure and protect consumers from online frauds, especially if a service gets hacked. A recent case of Mobikwik hack where apparently card details of millions were leaked, shows how important it is provide a safe experience while dealing online. With tokenisation, even if the service gets hacked, the card details of the end consumer remain safe and this is what has been needed all this while.