New Rules For All Credit/Debit Cards In India Effective From October: Everything You Need To Know
The central bank has mandated previously to tokenise all credit and debit card data used in online, point-of-sale, and in-app transactions by July. However a three month extension was given by RBI which took the deadline to September 30.
But why is RBI wants the data tokenise? What does this mean for us? Before anything nail down on what we mean by tokenization.
Tokenization is the process of replacement of actual card details with an alternate code called the “token”.
Why do we need it? The answer lies in one word,
“safety”. Since the actual card details are not shared with the merchant during the processing of the transaction, this transaction is considered safe.
Firstly, the cardholder request for tokenization on the app provided by the token requestor. This request will then be forwarded by the token requestor to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.
Now, this may sound like a great deal, under the name of safety. Now, a question will pop up in your head, does it charge a dime!
The answer is “no”. The customer need not pay anything in order to avail this service.
This can only be carried out by the authorised card network and the list of authorised entities is available on the RBI website.
It will be allowed through mobile phones and/or tablets for all use cases/channels (e.g., contactless card transactions, payments through QR codes, apps etc.)
It is not mandatory for a customer to tokenise his card. This decision is at sole discretion of end user. If one does not want to avail it, then one can continue to transact as before by entering card details manually at the time of undertaking the transaction.
Speaking about the safety of user data, then these details are stored in a secure mode by the authorised card networks. Details like Primary Account Number (PAN), i.e., card number, or any other card detail cannot be stored by the token requestor.
For safety and security, the card networks are also mandated to get the token requestor certified. These make sure that it complies to international best practices / globally accepted standards.
The consent is given by customer through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.
Other Details About Tokenization
A customer can request for tokenisation of any number of cards. For performing a transaction, the customer shall be free to use any of the cards registered with the token requestor app.
In case of any issues or losses with the card, the complaints should be made to the card issuers. Easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage shall be ensured by the card issuers.