In a bid to make online payment transactions through credit and debit cards more safe and secured, the Reserve Bank of India (RBI) has ordered all online payment gateways, merchants and e-commerce companies to implement tokenisation of cards by their customers while making payments.

The central bank has asked all the merchants and e-commerce firms to delete all sensitive data of the customer relating to their card details available at their platforms.

As per the new rule that comes into effect from January 1, 2022, all merchants need to use encrypted tokens for doing transactions instead of credit and debit cards.

India’s largest private sector lender HDFC Bank in an SMS earlier this week said, “Effective 1st Jan’22! Your HDFC Bank card details saved on Merchant Website/App will get deleted by the merchants as per the RBI mandate for enhanced card security. To pay each time, enter full card details or opt for tokenisation.”

What is tokenisation?

Tokenisation refers to the replacement of credit and debit card details with an alternative code called a ‘token’, which is unique for a combination of card, token requestor (the entity that accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a token) and the device, the RBI says.

This reduces the chances of fraud arising from sharing card details. The token is used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.

RBI has also extended tokenisation of Card-on-File (CoF) transactions — where card details used to be stored by merchants — and directed the merchants not to store card details in their systems from January 1, 2022.

A CoF transaction is one in which a cardholder has authorised a merchant to store his or her Mastercard or Visa payment details, and to bill the stored account. E-commerce companies and airlines and supermarket chains often store card details.

Will it affect online transactions for merchants?

With thousands of stakeholders yet to onboard the tokenisation platform and “RBI regulated entities not prepared” for the new initiative, digital payment firms and merchant bodies have petitioned the RBI to extend the deadline for implementation of the tokenisation rule. If implemented in the present state of readiness, the new mandate could cause major disruptions and loss of revenue, especially for merchants, they said in a letter to the RBI.

“Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments,” Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) said in a joint letter. They have voiced their concerns over industry readiness on the RBI directive on CoF and urged the central bank for an extension of the December 31 deadline for implementation of card data storage norms. Sources said some banks have also written to the RBI seeking extension of implementation of the new norms.