E-commerce companies such as Amazon, Flipkart and any online delivery platforms such as Zomato and Swiggy won’t be able to save your credit/debit card details on their servers, under new guidelines from RBI, that it will come into effect starting July 1, 2022.
This comes after RBI’s auto debit policy, which came into effect in October, restricting any automatic recurring payment services including utility bills, phone recharges, DTH, and even OTT services such as Netflix, Amazon prime among others.
Now the central bank has mandated all merchants to use encrypted tokens to carry out transactions. In just a few months from now, payment through your credit or debit card on e-commerce sites is likely to look a lot different, sending you on new loops to pay. Here we explain what the mandate means for you.
What is RBI saying?
RBI wants all the merchants and e-commerce firms to delete all saved card details of their customers available on their servers and mandate the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. It applies to domestic, online purchases.
According to the central bank, all merchants need to use encrypted tokens for transactions—and this should be achieved through tokenisation.
For the uninitiated, tokenisation refers to the replacement of credit and debit card details with an alternative code called a ‘token’. For instance, if a credit/debit card is used at a Point of Sale (POS) machine or on an e-commerce market place, the credit card number is transferred to the tokenisation system which generates 16 random characters, also called as ‘token’, to replace the original credit card number. Now, the system returns the newly generated 16-digit random characters to the e-commerce site to replace the customer’s credit card number in the system.
For instance, card number (example): 1234 5678 1234 5678, will be replaced by token number say (just an example) 4321 1234 5678 1234. This number is a unique combination of card, token requestor (the entity that accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a token) and the device, the RBI says.
It is worth noting that tokenisation has been around for a while as a way to separate data in ecosystems, and databases. This reduces the chances of fraud arising from sharing card details. Interestingly, tokenisation is already used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.
(To know more about tokenisation take a quick detour of our explainer on RBI’s tokenisation plans and circle back.)
RBI’s mandate has made it clear that merchants and companies will have to delete such information from their database and replace it with tokenisation, which will replace actual card details with tokens.
Every card user will have to get the card tokenised with a merchant or service provider by initiating a request on the app provided by the token requestor.
What are the new norms?
As per the rules, card service providers have to send a notification to customers five days prior to the date of payment. The debit will be allowed only after the customer approves the payment.
Every user who opts-in for auto payments will receive a notification five days prior that will carry the merchant’s name, amount, due date, reference number, followed by a link to a page that will allow you to view, modify or cancel the payment.
Users will have the option to opt-out of the transaction or mandate through the link. However, if you choose to ignore the notification, the transaction will not be carried out. It should be noted that this is only for recurring payments less than Rs 5,000.
For recurring payments above Rs 5,000, the new mandate requires banks to send a one-time password (OTP) to the customers. And for all subsequent transactions within this threshold, the bank will also have to send a pre-debit notification five days before the payment is slated to be deducted. The debit will be allowed only after the customer approves the payment.
Meanwhile, auto debit accounts registered for mutual funds, SIPs, equated monthly installments for loans will not be impacted by these new rules.
Impact on customers
Atleast 5 million customers, who have stored their card details for online transactions could be impacted if the online merchants are not able to implement the changes at their backend. Merchants, banks, card providers and payment gateways have said that there hasn’t been enough time to make the backend changes for the measure announced in September to protect cardholders from fraud.
E-commerce platforms, online service providers and small merchants could be especially hit. Now, with the latest extension, the RBI expects the systems to be ready for seamless launch in six months.
Additionally, 90 per cent of banks are ready for tokens on the Visa platform, but Mastercard is yet to catch up. The RBI had banned Mastercard from issuing any new cards on July 14 this year for not complying with data localisation requirements. Even as CoF conversion to a tokenised number is being done, the system is not geared up for processing the tokens as merchants are not ready at their end.
“If implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants,” Alliance of Digital India Foundation (ADIF) said in a joint letter to the RBI.