Understanding RBI’s New Directions Regarding Storage of Card Data
The Reserve Bank of India (RBI) has recently given new directives concerning the storage of card data by entities or merchants. Aiming to reduce the risk of fraud that arises from sharing card details, the central bank has directed that no entity or merchant, except card issuers and card networks, should store card details.
New Directions by RBI
Effective from January 2022, the RBI has stated that no entity participating in the card transaction or payment chain, excluding the card issuers and card networks, should store the actual card data. Any data of this sort that has been stored previously will need to be deleted. This move is expected to significantly reduce the risk of card fraud as the sensitive card data will be restricted to only the essential entities – card issuers and card networks.
Extension of Card-on-File Tokenisation
In addition to preventing unnecessary storage of card data, the RBI has also expanded the scope of tokenisation of Card-on-File (CoF) by card issuers. This means the central bank has allowed card issuers to offer tokenisation services as Token Service Providers (TSPs). However, this facility will be provided exclusively for the cards issued by or linked to the respective TSP.
Understanding Tokenisation
Tokenisation refers to the process of replacing actual card details with an alternative code, known as a “token”. This token is unique for a combination of a card, token requestor, and device. It is used to execute card transactions in a contactless mode at points-of-sale terminals and for quick response and code payments. This innovative technology promises secure transactions while protecting sensitive card details.
Card-on-File Transactions
A CoF transaction is one where a cardholder authorises a merchant to store his or her MasterCard or Visa payment details. After the storage of these details, the cardholder gives the same merchant permission to bill the cardholder’s stored Mastercard or Visa account. Generally, e-commerce companies, airlines, and supermarket chains store card details in their system. However, under the new RBI directives, this practice will likely be discouraged unless tokenisation is employed.
Consequences for Merchant Entities
These new directives from RBI represent a significant change in the way card transactions are currently handled by various merchant entities. With the limitations on storing actual card data and the expansion of tokenisation, merchant entities such as e-commerce platforms may need to alter their transaction systems. Moreover, customers can expect additional security for their card details, reducing the likelihood of potential fraud.
Final Take
The new rules put forth by the Reserve Bank of India regarding the storage of card data reflect the central bank’s ongoing commitment to enhancing the safety of card transactions. By restricting the storage of actual card data and extending the scope of tokenisation, the RBI aims to create a more secure environment for cardholders and reduce the risk of fraudulent activities. Tokenisation could emerge as an important tool for maintaining the security and privacy of card transaction data.
