Following several reports of debit or credit cards being misused, the Reserve Bank of India (RBI) is all set to kick in the new guidelines on card tokenisation from October 1, 2022.
Fraudulent use of credit cards is on the rise. Scammers misuse technology to defraud customers. Scammers use the credit card information which is stored on merchant websites for future transactions. In the past, merchant-stored data has occasionally been hacked. RBI warned that stolen data in the hands of criminals could result in unauthorised transactions and consequent financial losses.
RBI took note of several complaints of the customers and took initiative to formulate new guidelines that will safeguard the customers to protect consumers from falling victim to online fraud. The new guidelines will be applicable from October 1, 2022.
Let’s try to understand what card tokenisation is.
Tokenisation, according to the RBI, is the substitution of a token for a customer’s debit or credit card details, such as the 16-digit number, names, expiration dates, and codes, which were previously kept for use in future transactions. The website of a merchant uses the token to complete the transaction. It is the act of replacing a card’s 16-digit number on the plastic card with an original alternate card number, or token. The token will be specific to a given card, token requestor, and device. Each time a customer uses the card.
To get their card tokenised, a cardholder can request the app that the token requestor provides. The card network will then receive the request and, with the card issuer’s permission, will issue a token. The device, the token requestor, and the card combination will all be associated with the token.
Customers who wish to get their cards tokenised can do so without incurring any fees. Card tokenisation can only be done by authorised card networks and organisations that have received RBI approval. The RBI has published guidelines for card tokenization, but customers are free to refuse to follow them. Customers can complete the transaction by manually entering their card information if they do not want their cards to be tokenized.
Since the real card information won’t be shared with the merchant during transaction processing, tokenized card transactions are thought to be safer. The likelihood of card information leakage will be reduced as a result.
The question that now arises is what will occur if there are any problems with the card tokenisation procedure. The cardholder’s complaint can be made to the card issuer if there is a problem, The customer can also file a complaint with the card issuer if the indicated device is lost or if there is any other circumstance that could expose the token to unauthorised usage. There are situations when a card user may choose not to tokenise their card due to perceived risk, just like how they could choose not to conduct a card transaction based on perceived doubt of the card’s authenticity.
Reserve Bank of India took cognisance of the security breach and has issued multiple deadlines to the merchants. The first RBI deadline for tokenizing credit card information was June 30, 2021. But it was extended to December 31, 2021, at the urging of businesses, payment aggregators, card associations, and banks. Once more, the deadline was pushed back six months, to June 30, 2022. The date has now been moved to September 30. We sincerely hope that there is no additional deadline provided to affect its implementation.