The Reserve Bank of India (RBI) on Tuesday declined to extend the deadline for card tokenization beyond the agreed-upon deadline of 1 January 2022, thereby eliminating single-click transactions but still allowing users to avoid having to type in their card data for every transaction. In online transactions, tokenization is used to substitute the real card data entered with random numbers. Because card details will not be kept by merchants (save for source banks and card issuers such as Rupay, Visa, and MasterCard), card details will not be leaked because the merchant's database will include random numbers rather than card details.
The RBI, on the other hand, has expanded a service that allows users to opt-out of entering 16-digit card numbers and other personal information. Payment aggregators and merchants cannot enable or disable such service; only the bank or card issuer may do so. Payment aggregators and merchants will have to delete the card information they have on file. Card on file (CoF) refers to the saving of card data, and tokenization can be done by banks and card networks as token service providers (TSP). The RBI is introducing the Card-on-File Tokenization (CoFT) service, which will provide customers with ease while maintaining high levels of security.
“While increasing client data security, CoFT will provide consumers with the same level of ease as before,” says the company. “Under the tokenization scheme, there would be no necessity to input card data for every transaction, contrary to the concerns raised in certain sections of the media,” the RBI added in a separate statement. According to the RBI's announcement, tokenization must be based on consumer permission and confirmed by two-factor authentication.
“No entity in the card transaction/payment chain, other than card issuers and/or card networks, should store the actual card data beginning 1 January 2022,” the central bank stated in a statement, adding that “any such data held before shall be purged.” The RBI has now expanded the tokenization obligation to all Internet-connected devices, including mobile phones, tablets, laptops, desktops, wearable’s (wristwatches, bands, etc.), Internet of Things (IoT) devices, and so on.
Payment aggregators will take a hit as a result of this since they lobbied to keep card details on their servers or on the merchant sites they service. Customers will still be required to give a one-time password, making one-click transactions more difficult. Entities can, however, keep the last four digits of the actual card number and the card issuer's name for transaction tracking or reconciliation reasons - "in conformity with the applicable requirements." The RBI also deemed card networks liable for "full and continuing compliance with the foregoing by all businesses concerned," according to the RBI.
Payment aggregators and gateways claimed that the sector follows best practices and that the RBI may always demand tougher regulations and higher standards. They asked that the RBI allow PCI DSS Level 1-certified businesses to keep card information. PCI DSS, or Payment Card Industry Data Security Level, Level 1 is the highest standard possible.
Comments