Why new debit and credit card rules? What the experts say
New Delhi: New debit and credit card rules have been extended after receiving a series of representations from different industry bodies. The Reserve Bank of India (RBI) has again extended the deadline for the debit and credit card tokenization rule until September 30.
The Reserve Bank said industry stakeholders have highlighted some issues with the implementation of the framework as it relates to customer payment transactions. In addition, several transactions processed using “tokens” are yet to gain traction across all merchant categories, he added.
According to the new set of rules, online players must delete all credit or debit card data stored on their platforms and replace it with a “token”.
What is a “token” and how do I get it?
Tokenization refers to replacing the actual card details with an alternate code called the “token”. ‘Token’ will be unique for a combination of card, token requester and device. RBI said a person “could obtain the tokenized card by initiating a request on the application provided by the token requester.
The token requester will forward the request to the card network which, with the consent of the card issuer, will issue a token matching the combination of card, token requester and device.”
A cardholder does not have to pay a fee and the process is not mandatory, the Reserve Bank added.
“This means that in the future, instead of saving your card details to a web service – for example, Amazon – you would save a unique token. That token would only be for that particular merchant and that particular device. tokenization, customers can register or deregister their card for a particular purpose, i.e. contactless, QR code-based, in-app payments, etc.,” said Soumee Bhatt, attorney general, BankBazaar.com.
It should be noted that tokenization is limited to mobile phones and tablets. The process cannot be performed through a smartwatch or other similar devices.
Additionally, tokenization and detokenization (converting the token back to actual card details) can only be performed by the authorized card network. (Click here to see the list)
Why did RBI publish the new rules?
“A tokenized card transaction is considered more secure because the actual card details are not shared with the merchant while the transaction is being processed,” RBI said.
“Credit card data such as card number, CVV and expiration date are stored in web services databases to facilitate payments. But this data is exposed to IT security risks. We have seen in the past that data stored on certain websites is breached and leaked into the public domain.Once this happens, cards can be used fraudulently and their owners can suffer financial loss.Therefore, the Bank reserve has issued guidelines that no entity except card issuers or networks will be permitted to store debit or credit card details. Data already stored must be erased,” said Ms. Bhatt.
“As no card data is stored anywhere other than the card network and issuer, the risk of loss or theft of card data is reduced. You also have the option of displaying the list of merchants from whom you have registered a token and to unregister such token in the future through your issuer’s app or online banking, so if you do not intend to make purchases on a site in the future or if you do not want a recurring payment associated with your account to renew, you can remove the associated token.if your card is renewed or replaced, you will need to explicitly consent to link it to merchants with whom you previously registered the card. All of this adds extra security,” she added.
What will happen if a device identified by a “token” is lost or stolen?
“All complaints should be directed to card issuers. Card issuers will ensure easy access for customers to report loss of ‘identified device’ or any other such event that may expose tokens to unauthorized use” , the RBI said.
Ms Bhatt said the card network should have a system in place to immediately deactivate such tokens and associated keys if exposed to unauthorized use.
Are there any risks?
Although the Reserve Bank said the new process is “more secure”, there could be “other security risks” involved.
“With card tokenization, sensitive card data is replaced with tokens and no real data is stored anywhere other than at the issuer, card network and customer. Implementing tokenization adds complexity to the existing IT structure as transaction processing will become more complicated and comprehensive,” said Murari Sridharan, Chief Technology Officer, BankBazaar.com.
“Tokenization does not eliminate all security risks, but it does greatly reduce the potential for data breaches, especially from third-party applications,” he added.