Card data security

Under the new RBI framework, cardholders won't be required to submit card numbers and other details while making online purchases
Card data security
Representational Pic

For quite some time credit as well as debit cardholders were on tenterhooks as a lot of buzz was going around that there would be large scale disruptions in card transactions on e-commerce platforms and other merchant establishments. The RBI planned to get a digital token system for card transactions in place from January 1, 2022 and asked the merchants and other stakeholders to reset their technology solutions inline with the new norms.

The new norm is referred to as tokenization, defined as a process which involves replacement of actual card details with a unique alternate code called the token.

It’s worth mentioning that a regulatory measure was announced by the Reserve Bank of India (RBI) in March 2020 prohibiting payment aggregators and merchants to store customer card credentials within their servers from June 30, 2021. However, the deadline was extended by six months to 31 December 2021. As the deadline was inching closer, the merchants and the payment aggregators anticipated major disruptions in their businesses as most of them had yet to get their business transaction system realigned to the RBI’s guidelines. Major industry bodies and other stakeholders sought more time to fall in line with the new digital token system for card transactions. Now, the Reserve Bank of India (RBI) on Thursday yet again extended the deadline to comply with new card storage rules by another six months to June 2022.

Notably, the RBI has ordered all companies in India to remove all saved credit and debit card data from their systems in the given time frame. During all this buzz, the focus of the regulator (RBI) remained on the service providers alone and the customers' awareness was least taken care of. Even as common bank customers come across news about the policy changes taking place vis-a-vis their credit and debit cards, most of them are yet to understand the new norms drafted by the RBI and being rolled out in the next six months. They mostly fear that some major disruption is going to take place in the transactions through cards. Actually the primary focus should have been on the customer as tokenization of cards is another major safety tool insulating them against the cyber criminals.

What is going to change for cardholders under the new framework?

As a cardholder, you have to first understand the present mechanism of card transaction. When you make a purchase on any e-commerce platform using your card, your card details such as card number, expiry date and CVV are picked by the e-commerce website and its acquiring bank initiates the transaction by sending the details to the card network (be it Visa, Mastercard, Repay or any other network). The card network, in turn, sends them to the card issuer bank or company requesting payment approval. During this payment flow process, your card details could also be saved by the merchant for future repeat transactions.

Now, the Reserve Bank of India (RBI) has asked all merchants and payment gateways to remove sensitive customer data on cards saved on their end and instead use encrypted tokens to carry transactions. Under this mechanism, referred to as card tokenization, you won’t be required to mention card number, expiry date, CVV, name etc while using it for a transaction. When a card is tokenized, its number is replaced with an algorithmically generated token. So, when a merchant wants to initiate a transaction on your card, they will use this token, which is a set of random numbers, in place of the actual card details.

So, by virtue of this process, cardholders can go for online purchases without exposing their card details. This will improve their data security.

How is the new process going to benefit card users?

Do you know incidents of data breaches have been taking place very frequently now. Debit cards issued by banks in India have become the source of one of the biggest ever breaches of financial data. Reportedly millions of such cards stand victim of malware infection. This allows fraudsters to steal the customers’ information which they use to withdraw funds from the cardholders’ accounts without their knowledge.

Just in the beginning of the year 2021, media reported that data of nearly 10 crore credit and debit card holders in India was being sold for an undisclosed amount on the Dark Web.

Some time back, in the US the security agencies had recovered some computers and laptops from some cyber fraudsters in which credit card details of hundreds of cardholders across the globe were found compromised. In fact, cyber fraudsters have been on prowl. ‘Shocking transactions’ through credit cards have become the order of the day and leave many credit cardholders fuming. The fraudster electronically steals the data of a card, makes unscrupulous purchases either by the internet or creates cloned cards for making purchases at merchant establishments through Point of Sale (PoS) terminals.

In order to counter the above mentioned scenarios where customer data breaches have been the order of the day, the RBI has mandated card tokenization to strengthen the security of card data. So the obvious benefit is that it will prevent data theft. Even banks and e-commerce platforms would be protected against data breaches.

There is another scenario. During the pandemic a lot of fake e-commerce websites have popped up who mandate customers to share their credit or debit card details to make the purchase. In the name of selling cheap merchandise , they attract heavy traffic from consumers on their sites. For sometime they deliver the goods on cheap rates. But after getting the desired volume of customers’ card data, they mostly vanish and misuse the elicited customers’ card data to commit frauds at their own will.

Now, with the new framework where cardholders won't be required to submit card numbers and other details, the fraudsters will be kept at bay and such crimes are not possible.

What cardholders need to do from June 2022?

When you as a cardholder start a purchase through the card, the merchant will initiate tokenization and for that he would be asking for your consent to tokenize the card. Once you give consent, it will send a tokenisation request to the card network. The card network creates a token as a proxy to the card number and sends it back to the merchant.

It is to be noted that for making payment to a different merchant or from a different card, tokenization is to be done again.

The merchant can save the token for subsequent transactions. You have to approve transactions with CVV and OTP.

Will rewards and benefits offered by service providers get impacted under the new framework?

Experts say that such ‘rewards and benefits’ offered by various banks and merchants on card transactions may get impacted in the initial stage. Under this framework, a merchant won't be able to locate the issuer of the card. This means that if an e-commerce platform is offering a 5% discount on a particular bank’s credit or debit card, tokenization system wont allow the merchant to know which card is issued by the particular bank to give the discount.

So some disruptions cannot be ruled out once card tokenization is rolled out from June 2022. However, there is time for the major players in the system to revisit their process so that disruptions are minimized initially and completely overcome at a later period of time.

Disclaimer: The views and opinions expressed in this article are the personal opinions of the author. The facts, analysis, assumptions and perspective appearing in the article do not reflect the views of GK

Readers can send their queries to,

(The views are of the author & not the institution he works for)

Related Stories

No stories found.
Greater Kashmir