RBI's new rule for security of credit, debit card data from October 1 --Know all about Tokenisation of Card Transactions

Tokenisation means the details of your cards such as 16-digit number, names, expiry dates and codes which you used to save earlier for the future payments will now be replaced by a token. The token is used by the merchant`s website for the transaction.

RBI's new rule for security of credit, debit card data from October 1 --Know all about Tokenisation of Card Transactions

New Delhi: In a bid to ensure security of credit, debit card data, the Reserve Bank of India (RBI) has enhanced the scope of tokenisation and permitted card issuers to act as token service providers (TSP). The Central Bank is now all set to bring its card-on-file tokenisation norms into effect from October 1.

What is Tokenisation of Card Transactions?

Under tokenisation services, a unique alternate code is generated to facilitate transactions through cards. Card-on-file refers to card information stored by payment gateway and merchants to process future transactions.

The Reserve Bank of India had a couple of months ago extended the scope of 'tokenisation' card payment services to several consumer devices including laptops, desktops, wearables like wrist watches, bands and Internet of Things (IoT), in addition to mobile phones and tablets.

“The device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well, and card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs). The tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA)," the RBI had said in a statement.

It said the decision will reinforce the safety and security of card data while continuing the convenience in card transactions.

The RBI said that citing the convenience and comfort factor for users while undertaking card transactions online, many entities involved in the card payment transaction chain store actual card details.

Some merchants force their customers for storing card details.

Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/ leaked.

Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions, the RBI said adding that stolen card data can also be used to perpetrate frauds within India through social engineering techniques.

The tokenisation of card data, however, shall be done with explicit customer consent requiring AFA, it added. The RBI said that the CoFT, while improving customer data security, will offer customers the same degree of convenience as now.