Card Tokenization: RBI launches new rules on credit and debit cards For security and privacy reasons, the Reserve Bank of India (RBI) has ordered merchants to ban the storage of customers’ card data on their servers by June 30. The card is required to provide a consistent instruction to the merchant to do card-on-file tokenization and to complete the transaction using the token generated thereby.
In particular, the Reserve Bank had initially set a deadline of January 1 for card-on-file tokenization. It has been extended to July 1 following requests from payment companies and industry bodies that more time is needed to change the technology system to accommodate tokenization.
What is Debit and Credit Card Tokenization?
After the card tokenization takes effect on July 1, no cardholder, except the card issuer and the card network, will have direct access to the customer’s card data. Merchant cannot store customer card data. And they want to hide the data. Under the new rule, the customer will request a token from the apps provided by the merchant. Following the request, the card network will generate a token with the consent of the card issuer, which will be private to all participants involved in the transaction.
This is how it works in a typical online purchase scenario, before starting a transaction, the merchant sets up the tokenization and sends a request for the token to the card network after the customer approves it. The 16-digit number that acts as a proxy for the card number will return to the merchant, who will store this number for all transactions. The customer must specify their CVV and OTP for each transaction. The same process applies to any number of cards used by a single customer
If card tokenization is not mandatory and the customer does not wish to tokenize the card, the same card number must be entered each time purchases are made using the card online.
What will card transactions be like after July 1?
The Reserve Bank of India (RBI) has said that the credit and debit card numbers of merchants will be removed after July 1 and card numbers will no longer be accessible as before. In practice, every time the customer makes an online transaction using the card, the card data must be typed manually unless approval for card tokenization has been given. Customers have advised entering the CVV and OTP number following the card token to complete the transaction for each transaction if they have subscribed to tokenize their card data.