RBI scraps one-click purchases from Jan 1; all stored details to be purged
The Reserve Bank of India (RBI) on Tuesday made it impossible for one-click purchases on merchant sites from January 1, as it refused to extend its deadline for card tokenisation beyond the agreed January 1, 2022 date.
Tokenisation is used in online transactions where the actual card details keyed in are replaced by random digits. This way, the customer is protected by preventing leakage of sensitive card details.
“With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers / or card networks, shall store the actual card data,” the central bank said in a statement, adding, “any such data stored previously shall be purged”.
With this, the RBI extended the tokenisation mandate to every device that connects with the Internet, including mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. to the payment aggregators as well as merchants on-boarded by them.
In short, card details will not be saved anywhere, every time a customer has to do online transaction, she will have to key in the 16 digits all details afresh, that will reach the merchant in a state of random numbers unrelated to the numbers keyed in.
This will come as a blow to payment aggregators who were lobbying for keeping card details saved with them or in the merchant sites they serve. One-click purchases will no longer be possible after this mandate.
However, for transaction tracking, or reconciliation purposes, entities can store the last four digits of actual card number card issuer’s name – “in compliance with the applicable standards.”
The RBI also made card networks responsible for “complete ongoing compliance with the above by all entities involved”.
The RBI said card issuers can offer card tokenisation services as token service providers (TSPs), this service can be provided by them only for the cards issued or affiliated to them. The same TSPs will be able to tokenise de-tokenise card data.
The tokenisation has to be done based on customer consent, to be validated through an additional factor authentication, the RBI said in its notification.
The payments aggregators gateways had argued that the industry follows the best practice the RBI can always demstricter norms, the highest standards. They had demanded the RBI should let PCI DSS Level 1-certified merchants to store the card details. Level 1 is the highest standard available under PCI DSS, or Payment Card Industry Data Security Standard.