RBI extends card tokenisation deadline to September 30, 2022

The Reserve Bank of India (RBI) on Friday, June 30, said that its newly introduced debit and credit card tokenisation rules, which were supposed to kick in on July 1, will now take off from September 30, 2022. It said the three-month deadline extension to avoid disruption and inconvenience to cardholders.

“This extended time period may be utilised by the industry for, (a) facilitating all stakeholders to be ready for handling tokenised transactions; (b) processing transactions based on tokens; (c) implementing an alternate mechanism(s) to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF (card-on-file) data by entities other than card issuers and card networks; and (d) creating public awareness about the process of creating tokens and using them to undertake transactions,” said the RBI in a statement.

The RBI had last year issued the card tokenisation rules, keeping in mind customer safety. Under the rules, merchants were barred from storing customer card data on their servers. 

Also read: RBI’s move to make credit cards UPI-enabled isn’t an unalloyed blessing

RBI guidelines make it mandatory to replace the original card data with an encrypted digital token.

What is tokenisation?

To enhance transaction security, the RBI wants merchants and payment gateways to erase all the customer-related sensitive data stored at their end. They are required to purge from their systems whatever credit and debit card data they may have stored, such as card number, date of expiry and name on the card.

Instead, the merchants are told to start tokenisation, that is, use encrypted codes or tokens to complete transactions. With the postponement of the deadline, they have another six months to implement tokenisation. Meanwhile, users are required to familiarise themselves with the new process.

The RBI has also allowed payment firms to come up with alternatives to storing cards. They can, of their own initiative, develop new means to handle recurring payments and equated monthly instalment (EMI) that are safe and do not store sensitive card information.

How does it work?

Tokenisation is a process that replaces the 16-digit card number with a unique code or token. This is meant to mitigate the risk of security breaches. The merchants and payment firms involved in the transaction will not memorise your card details, since it is converted into a unique token that even they cannot ‘read’.

When you reach the billing stage during an online purchase and give your card details, the merchant initiates the process, asking for your consent to tokenise your debit/credit card. Once you tick the appropriate box, the system sends a tokenisation request to the card issuer’s (Visa, Mastercard, etc) network.

The card issuer creates a token through an algorithm and sends it to the merchant. The token, which is fully secure, is a proxy to the card number; therefore, your card details will not be stored. The merchant does save the token for subsequent transactions, but it is in a coded format that prevents misuse for unauthorised transactions.

The next time you make a purchase, if you go to a new merchant or use a different card, you will have to go through the tokenisation process again. Remember that either way you will still need CVV and OTP numbers, so keep the mobile handy.

If you’re not too keen on the new system, you can key in your card details each time you make a purchase, turn down the tokenisation request, and rest assured that your card data will not be stored by the e-seller. The other option, of course, is cash-on-delivery, which is neither convenient nor advisable in pandemic times.