RBI Extends Card Tokenization Deadline
Reserve Bank of India (RBI) extended the deadline to comply with new card storage rules by another six months to June 2022, following requests from industry bodies and other stakeholders. The RBI also said that in addition to tokenization, industry, stakeholders may devise alternative mechanisms to handle any use case that currently involves storage of card data by entities other than card issuers and card networks.
Tokenization refers to replacement of actual credit and debit card details with an alternate code called the "token", which will be unique for a combination of card, token requestor and device. A tokenized card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Customers who do not have tokenization facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
The RBI move caused significant problems for both the customers and business with missed payments and card transactions failures as payment aggregators and payment gateways tweaked their system to be compliant with new rules. Businesses with subscription-based business models that primarily depends on recurring payments by customers for their revenue were particularly affected.
In response to being asked whether card details of a customer are safe after Tokenization, RBI has said on its official website that "Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks. Token requestor cannot store Primarily Account Number (PAN), that is card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to International best practices/globally accepted standards.
The move from the RBI has received mixed reaction. While some people have welcomed the additional security that the tokenization of card details will bring to online payments and transactions, many believe that it adds an unnecessary friction to an otherwise already quite secure mechanism. It is important to know that in India, unlike in many other countries with debit and credit cards can be used for fraud in an easier way, online transactions here are more secure because of the OTP mechanism. In most instances, all credit or debit transactions in India require use of OTP, which provides an additional layer of security to users.