Online payment rules to change from Jan 1st

With the increase in the digital penetration in the country, more and more people are using the online payments to order food, shop or book cabs. But the digital world is full of threats from cyber criminals who are always waiting to get the access to users’ data.

To provide better security to people and make online payments safer, the Reserve Bank of India (RBI) has asked all merchants and payment gateways to remove sensitive customer details and debit and credit cards that is saved on their end.

The new rules will come into effect from January 1.

What does this mean?

After the order from the RBI, the merchants and payment gateways will have to delete all the information stored on their servers. This means that a user will have to enter the full card details to make payments on merchant websites.

Banks have started informing their customers about the changes that are coming into effect. One of the leading private banks HDFC has been sending text messages to its customers that they will either have to enter full card details or opt for tokenisation.

What is tokensation?

According to the current system, the execution of transaction is based on the correct values of 16-digit card number, the card expiry date, the CVV and the one-time password or OTP (in some cases transaction PIN too). Tokenisation refers to replacement of actual card number with an alternative code, called the “tokens”.

It is unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token) and device (referred hereafter as “identified device”).

How is tokenisation safer?

According to RBI, a tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.

It further said that actual card data, token and other relevant details are stored in a secure mode by the authorised card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices/globally accepted standards.

The central bank also said that conversion of the token back to actual card details is known as de-tokenisation. It added that the customer need not pay any charges for availing this service.

What will change from January 1?

From January onwards, when you make the first payment to any merchant, you will need to give him/her your consent with an additional factor of authentication (AFA). Once done, you will complete the payment by keying in your card’s CVV and OTP.

Current Issue