New RBI guidelines for credit and debit card tokenization

Know all about credit and debit card tokenization rules

The Reserve Bank of India (RBI) has asked all payment gateways and merchants to remove customer-sensitive data on cards in their databases and use encrypted tokens to complete transactions. This new rule which will come in place from January 2022, is being implemented with the aim of making online payments more secure. 

Card tokenization: How does it work?

The execution of a card-based transaction for a debit or a credit card depends on details like the 16-digit card number, expiry date, CVV, and the PIN or the OTP. The transaction is completed only when all these details are entered correctly. 

Tokenization refers to the replacement of all the information mentioned above with a unique alternate code known as ‘token.’ This token is unique for each combination of card, device, and token requestor. The token requestor is the one who will accept the request from the customer for card tokenization. After that, he/she will pass the request on to the card network for generating the respective token. 

Here is how it works:

Once a customer enters payment details into a secure payment gateway, like Zaakpay, it collects all the secure information and sends it to the server. The server returns a token corresponding to the financial details to the client, following which the token server sends a response, and the token goes into the merchant’s payment system. The merchant then processes the payment with the token. 

What does the new RBI rule say?

In September 2021, RBI issued the following guidelines pertaining to credit card tokenization and debit card tokenization:

1. From January 1, 2022, no one other than the card issuers and/or card networks will be allowed to store the actual card data in the card transaction/payment chain. The previously stored data, if any, will be purged.
2. For essential purposes such as transaction tracking and/or reconciliation, limited data can be stored. This can include the last few digits of a card number and the card issuer’s name. However, all this will have to be done keeping all the applicable standards in mind. 
3. It is the responsibility of the card networks to check the complete and ongoing compliance with the above by all entities.
4. The RBI has further added that cardholders who wish to make online payments must enter the card details every time they make a payment or tokenize it.  

What do you need to do from January 2022?

From January onwards, when you are making an online payment via payment gateways like Zaakpay to any merchant, you will need to provide them with your consent with an additional factor of authentication (AFA). After that, you can complete the transaction by adding your card’s CVV and OTP.

Here is a highlight of what will follow for cardholders:

• Make a purchase with the vendor
• After asking for your permission for the same, the merchant starts tokenization.
• Once you approve, it sends a request to the card network. 
• The card network creates an alternate token to the card number and sends it back to the merchant. 
• The same process has to be repeated while making payment from a different card and/or to a different merchant. 
• The merchant saves the token for further transactions.
• Transactions can be approved with CVV and OTP.

Are new tokenization rules safe?

To sum it up simply – Yes. The new merchant tokenization rules are safe. When all the card details are saved in an encrypted manner, it significantly reduces the chances of fraud. 

There have been incidences where card data stored by merchants would leak or be stolen in the past. Little could be done to prevent this, and card details often ended up in the wrong hands. However, card detail safety will be even tighter with the new card on file tokenization rules. 

How will it benefit users?

Indian payment gateways like Zaakpay have already raised the standards of online payment security and convenience. With tokenization coming in, chances of online payment fraud will be reduced to almost nil as it is more than a security fix. It creates a smooth payment experience for customers. Businesses and customers alike can reap the following benefits:

1. Fewer chances of fraud- There is a lot of wealth in payment information. Hence it is no surprise that hackers target businesses that accept credit and debit cards. They either sell the information or use it themselves to make fraudulent purchases. Data breach costs around $3.8 million on average. 

Card tokenization helps prevent data theft. Even in case of a breach, there is no data to steal, and the tokens are worthless to fraudsters. As a result, card users do not have to worry about the safety of their financial details, and ultimately their finances. 

2. Subscription for billing and periodic payments- Customers can choose to save their billing information for their next automatic payment without the drawback of keeping all their financial information stored on file. This means you can have an uninterrupted service. 

3. One-click checkouts- One-click checkout using tokenization means customers have a quick and hassle-free experience with online buying. Customers go through the checkout process by providing fewer details to complete the transaction. 

4. Ease of trusting vendors- Merchant tokenization ensures that the merchant complies with PCI DSS. It helps keep data secure, and you as a user can trust merchants easily with your payments. 

Conclusion

Tokenization payment is being adopted for one primary reason: to enhance financial security while making online payments. This is a key step for a country like India, where the economy is primarily cash-based, and people have a hard time transitioning from cash to cashless payments. Additional security can provide customers the exact boost they need for switching to online payments. The choice for users is simple. Either they can opt for tokenization or type out the 16 digit card number to pay online.