The Reserve Bank of India (RBI) on Tuesday made it impossible for one-click purchases on merchant sites from January 1, as it refused to extend its deadline for card tokenisation beyond the agreed January 1, 2022 date.
Tokenisation is used in online transactions where the actual card details keyed in are replaced by random digits. This way, the customer is protected by preventing leakage of sensitive card details.
“With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data,” the central bank said in a statement, adding, “any such data stored previously shall be purged”.
With this, the RBI extended the tokenisation mandate to every device that connects with the Internet, including mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. and to the payment aggregators as well as merchants on-boarded by them.
In short, card details will not be saved anywhere, and every time a customer has to do online transaction, she will have to key in the 16 digits and all details afresh, that will reach the merchant in a state of random numbers unrelated to the numbers keyed in.
This will come as a blow to payment aggregators who were lobbying for keeping card details saved with them or in the merchant sites they serve. One-click purchases will no longer be possible after this mandate.
However, for transaction tracking, or reconciliation purposes, entities can store the last four digits of actual card number and card issuer’s name – “in compliance with the applicable standards.”
The RBI also made card networks responsible for “complete and ongoing compliance with the above by all entities involved”.
The RBI said card issuers can offer card tokenisation services as token service providers (TSPs), and this service can be provided by them only for the cards issued or affiliated to them. The same TSPs will be able to tokenise and de-tokenise card data.
The tokenisation has to be done based on customer consent, to be validated through an additional factor authentication, the RBI said in its notification.
The payments aggregators and gateways had argued that the industry follows the best practice and the RBI can always demand stricter norms, and the highest standards. They had demanded the RBI should let PCI DSS Level 1-certified merchants to store the card details. Level 1 is the highest standard available under PCI DSS, or Payment Card Industry Data Security Standard.