Facing a backlash against proposed curbs on storage of debit and credit card data by digital platforms, the Reserve Bank of India has offered an alternative which reduces inconvenience to customers while ensuring safety of transactions.
In a release on Tuesday, the regulator said it would expand its tokenisation framework to find a middle path between safety and convenience of digital transactions.
Card tokenisation is a service that allows networks to create a unique alternative code or “token” that masks a customer’s actual card details while conducting financial transactions.
While tokenisation was already permitted, its scope has now been expanded.
The framework has been extended to card-on-file tokenisation.
Card issuers can offer these services as token service providers.
The facility of tokenisation shall be offered by the TSPs only for the cards issued by or affiliated to them.
The ability to tokenise and de-tokenise card data shall be with the same TSP.
Tokenisation of card data shall be done with explicit customer consent requiring additional factor authentication by card issuer.
The move will help payment aggregators and merchants offer digital payments without having to store card data.
In its circular, the RBI reiterated that no entity involved in a transaction, other than card issuers and/or card networks, can store any card data, with effect from Jan. 1, 2022. Any such data which is already stored must be purged by the other entities.
“For transaction tracking and/or reconciliation purposes, entities can store last four digits of actual card number and card issuer’s name, in compliance with the applicable standards,” the RBI said, adding the responsibility on compliance of all entities with these guidelines rest with the card networks.
The RBI’s initial diktat asking merchants to stop storing card information came in March 2020. The deadline for its implementation has been extended a number of times as industry was unprepared and questions were raised on the inconvenience it would bring to customers.
The regulator explained that its objective continues to be greater security of digital transactions. Any leakage of card-on-file data can have serious repercussions because many jurisdictions do not require additional factor authentication for card transactions. As such, stolen card data can be used to perpetrate frauds, it said.
The regulator also said contrary to concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement.