RBI scraps one-click purchases from Jan 1; all stored details to be purged

The Reserve Bank of India (RBI) on Tuesday made it impossible for one-click purchases on merchant sites from January 1, as it refused to extend its deadline for card tokenisation beyond the agreed January 1, 2022 date.

Tokenisation is used in online transactions where the actual card details keyed in are replaced by random digits. This way, the customer is protected by preventing leakage of sensitive card details.

“With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers / or card networks, shall store the actual card data,” the central bank said in a statement, adding, “any such data stored previously shall be purged”.

With this, the RBI extended the tokenisation mandate to every device that connects with the Internet, including mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. to the payment aggregators as well as merchants on-boarded by them.

In short, card details will not be saved anywhere, every time a customer has to do online transaction, she will have to key in the 16 digits all details afresh, that will reach the merchant in a state of random numbers unrelated to the numbers keyed in.

This will come as a blow to payment aggregators who were lobbying for keeping card details saved with them or in the merchant sites they serve. One-click purchases will no longer be possible after this mandate.

However, for transaction tracking, or reconciliation purposes, entities can store the last four digits of actual card number card issuer’s name – “in compliance with the applicable standards.”

The RBI also made card networks responsible for “complete ongoing compliance with the above by all entities involved”.

The RBI said card issuers can offer card tokenisation services as token service providers (TSPs), this service can be provided by them only for the cards issued or affiliated to them. The same TSPs will be able to tokenise de-tokenise card data.

The tokenisation has to be done based on customer consent, to be validated through an additional factor authentication, the RBI said in its notification.

The payments aggregators gateways had argued that the industry follows the best practice the RBI can always demstricter norms, the highest standards. They had demanded the RBI should let PCI DSS Level 1-certified merchants to store the card details. Level 1 is the highest standard available under PCI DSS, or Payment Card Industry Data Security Standard.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information commentary on developments that are of interest to you have wider political economic implications for the country the world. Your encouragement constant feedback on how to improve our offering have only made our resolve commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed updated with credible news, authoritative views incisive commentary on topical issues of relevance.

We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better more relevant content. We believe in free, fair credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism subscribe to Business Standard.

Digital Editor

Source link