Why New Debit, Credit Card Rules? Here's What Experts Say

New Delhi: New debit and credit card rules have been extended after receiving a range of representations from different industry bodies. The Reserve Bank of India (RBI) has again extended the debit and credit card tokenisation rule deadline to September 30.

The Reserve Bank stated that the industry stakeholders had highlighted some issues related to the implementation of the framework in respect of guest checkout transactions. Also, several transactions processed using 'tokens' is yet to gain traction across all categories of merchants, it added.

According to the new set of rules, online players need to delete any credit or debit card data stored on their platforms and replace it with a 'token'.

What Is A 'Token' And How To Get It?

Tokenisation refers to the replacement of actual card details with an alternate code called the 'token'. 'Token' will be unique for a combination of card, token requestor and device. RBI said that a person "could get the card tokenised by initiating a request on the app provided by the token requestor.

The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device."

A cardholder doesn't have to pay any charges, and the process isn't mandatory, the Reserve Bank added.

"This means that going forward, instead of saving your card details on a web service – for example, Amazon – you would be saving a unique token. This token would be only for that particular merchant and that particular device. With tokenisation, customers can register or de-register their card for a particular use, i.e., contactless, QR code-based, in-app payments etc.," said Soumee Bhatt, General Counsel, BankBazaar.com.

It must be noted that tokenisation is restricted to mobile phones and tablets. The process can't be done through a smartwatch or other similar devices.

Also, tokenisation and de-tokenisation (conversion of the token back to actual card details) can be done only by the authorised card network. (Click here to check the list)

Why RBI Issued The New Rules?

"A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing," RBI said.

"Credit card data such as number, CVV and card expiry date is stored on the databases of web services for ease of payments. But this data faces info-security risks. We've seen in the past that data stored on some websites have been breached and leaked into the public domain. Once that happens, cards may be fraudulently used, and their owners may suffer financial losses. Hence, the Reserve Bank issued directives that no entity except card issuers or networks will be allowed to store debit or credit card details. Data already stored needs to be erased," Ms Bhatt said.

"As no card data is being saved anywhere except by the card network and issuer, chances of card data being lost or stolen is reduced. You also have the option to view the list of merchants with whom you have registered a token and de-register any such token in future via your issuer's app or internet banking. So, if you do not intend to shop on a site later or do not wish a recurring payment associated with your account to be renewed, you can delete the associated token. In case your card is renewed or replaced, you will have to explicitly consent to link it with the merchants with whom you had registered the card earlier. All this adds up to additional security," she added.

What Will Happen If A 'Token' Identified Device Is Lost or Stolen?

"All complaints should be made to the card issuers. Card issuers will ensure easy access to customers for reporting a loss of 'identified device' or any other such event which may expose tokens to unauthorised usage," the RBI stated.

Ms Bhatt said the card network would need to put in place a system to immediately de-activate such tokens and associated keys in case of their exposure to unauthorised usage.

Are There Any Risks?

Though the Reserve Bank stated that the new process is "safer", there could be some "other security risks" involved.

"With card tokenisation, sensitive card data is substituted with tokens and no actual data is stored anywhere other than with the issuer, card network, and customer. Implementing tokenisation adds complexity to the existing IT structure as processing transactions will become more complicated and comprehensive," said Murari Sridharan, Chief Technology Officer, BankBazaar.com. 

"Tokenisation does not eliminate all security risks but reduces the potential for data breach significantly, especially from third-party apps," he added.