With the new framework in place, fraudsters will be kept at bay.
By Sajjad Bazaz
The Reserve Bank of India (RBI) is ready to bring its card-on-file tokenization norms into effect from October 1. Earlier, its implementation was deferred on a couple of occasions.
The RBI had planned to get a digital token system for debit as well as credit card transactions in place from January 1, 2022. The merchants and other stakeholders were asked to reset their technology solutions in line with the new norms – tokenization.
Earlier, a regulatory measure was announced by the Reserve Bank of India (RBI) in March 2020 prohibiting payment aggregators and merchants to store customer card credentials within their servers from June 30, 2021. However, the deadline was extended by six months to 31 December 2021, which was further extended to June 2022. Due to pressure from major trade bodies and other stakeholders, it was then extended by another three months.
This time, the apex bank seems determined not to grant another extension as complaints regarding the misuse of debit or credit cards are mounting fast. There are innumerable instances when several cardholders fell victim to a cyber fraud in the last few years because they had stored their card data on the merchants’ website for future payments. It is common for a merchant to save bank card details during a transaction. There have been several incidents when a merchant’s website was hacked and the details of the customers were exposed.
Tokenization of cards is yet another major safety tool insulating cardholders against cyber criminals. Under tokenization services, a unique alternate code is generated to facilitate transactions through cards. It substitutes a 16-digit customer card number with a non-sensitive equivalent value, referred to as a token. This essentially means that a customer’s card information will no longer be available on any merchant-payment gateway or third party that helps in the processing of digital transactions today.
Understanding the New Framework
As a cardholder, you have to first understand the present mechanism of card transaction. When you make a purchase on any e-commerce platform using your card, your details such as card number, expiry date and CVV are picked by the e-commerce website and its acquiring bank initiates transaction by sending the details to the card network (Visa, Mastercard, Repay or any other network). The card network, in turn, sends them to the card issuer bank or company requesting payment approval. During this payment flow process, your card details could also be saved by the merchant for repeat transactions.
Under the new framework, referred to as card tokenization, the Reserve Bank of India (RBI) has asked all merchants and payment gateways to remove sensitive customer data on cards saved at their end and instead use encrypted tokens to carry out transactions. From October 1, you won’t be required to mention card number, expiry date, CVV, name etc while using it for a transaction. When a card is tokenized, its number is replaced with an algorithmically generated token. So, when a merchant wants to initiate a transaction on your card, they will use this token, which is a set of random numbers, in place of the actual card details.
So, by virtue of this process, cardholders can go for online purchases without exposing any details. This will improve their data security.
Incidents of data breaches are happening frequently. Debit cards issued by banks in India have become the source of one of the biggest ever breaches of financial data. Reportedly millions of such cards are compromised through malware infection. This allows fraudsters to steal customers’ information which they use to withdraw funds from the cardholders’ accounts without their knowledge.
Just in the beginning of the year 2021, media reported that data of nearly ten crore credit and debit card holders in India was being sold for an undisclosed amount on the Dark Web.
Some time back in the US, security agencies had recovered computers and laptops from cyber fraudsters in which credit card details of hundreds of cardholders across the globe were found compromised. In fact, cyber fraudsters have been on the prowl. Fraudulent transactions through credit cards have become the order of the day, leaving credit cardholders fuming. Fraudster steal the data of a card electronically, make purchases either through internet or create cloned cards for making purchases at merchant establishments through Point of Sale (PoS) terminals.
In order to counter such scenarios, the RBI has mandated card tokenization to strengthen the security of card data. So the obvious benefit is that it will prevent data theft. Even banks and e-commerce platforms would be protected against data breaches.
There is another scenario. During the pandemic a lot of fake e-commerce websites have popped up that mandate customers to share their credit or debit card details to make a purchase. In the name of selling cheap merchandise, they attract heavy traffic from consumers on their sites. For some time they deliver the goods on cheap rates. But after getting the desired volume of customers’ card data, they mostly vanish and misuse the customers’ card data.
Now, with the new framework where cardholders won’t have to submit card numbers and other details, fraudsters will be kept at bay as such crimes won’t be possible.
What Cardholders Need to Do?
When you as a cardholder start a purchase through the card, the merchant will initiate tokenization and for that he would be asking for your consent to tokenize the card. Once you give consent, it will send a tokenisation request to the card network. The card network creates a token as a proxy to the card number and sends it back to the merchant.
It is to be noted that for making payment to a different merchant or from a different card, tokenization is to be done again.
The merchant can save the token for subsequent transactions. You have to approve transactions with CVV and OTP.
Meanwhile, some initial disruptions cannot be ruled out once card tokenization is rolled out from October 1, 2022.
Sajjad Bazaz heads Internal Communication & Knowledge management Department of Jammu & Kashmir Bank Ltd. The views expressed are his own and not of the institution he works for.
