New credit card rules from July 1; merchants can’t store card data

Card data will be stored as an encrypted “token” to help customers make secure transactions; these tokens will allow payment to be made without disclosing customer details

Credit card online
RBI guidelines make it mandatory to replace the original card data with an encrypted digital token. Pic: iStock

From July 1 onwards, online merchants will not be able to store customers’ card data, as per the Reserve Bank of India’s (RBI) debit and credit card tokenisation rules.

The RBI had last year had issued these card tokenisation rules, keeping in mind customer safety. Under the rules, merchants were barred from storing customer card data on their servers. These rules will come into effect from July 1, 2022.

RBI had made adoption of card-on-file tokens for domestic online purchases mandatory. The deadline for adoption of card tokens across the country was extended by six months from January 1, 2022 to July 1, 2022.

It will be stored as an encrypted “token” to help customers make secure transactions. These tokens will allow payment to be made without disclosing customer details.

Also read: RBI’s move to make credit cards UPI-enabled isn’t an unalloyed blessing

RBI guidelines make it mandatory to replace the original card data with an encrypted digital token.

From July 1, therefore, merchants will have to delete customers’ debit and credit cards’ data from their records.

Customer’s consent necessary

The card tokenisation system though is not mandatory. Therefore, if a customer has not given consent for tokenisation of his or her card, then the customer will have to enter all card details like name, card number and card validity instead of just entering the card verification value or CVV, every time while making an online payment.

The tokenisation system is free of charge and is only applicable to domestic online transactions.

According to RBI, registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced or default or automatic selection of check box, radio button, etc.

Also read: e-RUPI explained: Digital payment without card or bank account

 

CATCH US ON: