In a move to bid customer data protection, the central bank of India introduced some changes in the debit and credit card tokenization rules. The new norms say online merchants would not be able to store debit cards and credit card details of their customers, from July 1, 2022.
The Reserve Bank of India (RBI) last year had announced debit and credit card tokenization rules to provide a safety net to the customers, who while opting for any online payment, had to share their debit or credit card details with the merchants. Later, the details get registered in their database by default.
With these new rules, merchants become toothless from storing customers’ card data in their servers.
The Reserve Bank Of India had made the adoption of card-on-file tokens for domestic online purchases mandatory. On the urge of banks and merchants, the last date for card tokens adoption across India was granted an extension of six months, from January 1, 2022, to July 1, 2022.
Now, data will be stored as an encrypted “token” to facilitate secure transactions for customers. These tokens will carry out transactions without disclosing customer details.
RBI guidelines make it obligatory to switch original card data with an encrypted digital token. So, from the first date of next month, merchants will have to delete debit and credit card data from their records.
Notably, the ‘card tokenization system’ has not been made compulsory.
If a customer does not agree to tokenization of his or her card, in that case, they will have to enter all card details like name, card number, and card validity to carry on the online transaction, instead of simply entering card verification value or CVV each time.
Concurrently, if a customer agrees to card tokenization, then s/he can do the online transaction simply by entering CVV or one-time password (OTP) details.
The tokenization system does not charge even a single rupee. It is free of cost and provides a trouble-free payment experience with data security.
This ‘tokenization’ of cards applies to domestic online transactions only.
RBI said registration for tokenization of a card should have explicit customer consent through Additional Factor of Authentication (AFA). The merchant can not force or set default or automatic selection of checkbox, radio button, etc.