E-tailers can’t store your card data, says RBI – Times of India

MUMBAI: One-click purchases at e-commerce sites may no longer be available to digital shoppers with the Reserve Bank of India (RBI) putting its foot down on card data storage norms.
The reason behind RBI’s tough stance is a spate of ransomware attacks in the country, where computer networks open to the internet have been hijacked by malware.
In terms of the new guidelines for payment gateways and payment aggregators, online merchants will not be able to store credit card data, forcing customers to enter their 16-digit numbers manually.

According to sources, the central bank has said that it will not allow any online merchant to store debit or credit card information, no matter how secure their systems are.
Online businesses are already working to meet RBI’s deadline on recurring payments, which kicks in from September 2021. These guidelines require that customers issue mandates for recurring payments to banks, and online firms cannot on their own debit charges.
The solution, according to the RBI, is the tokenisation of payment data. This would mean that the e-commerce sites would need to tie up with the card network who will issue them ‘tokens’ linked to each card number. These tokens cannot be used by anyone else.
According to a banker, while this might create short-term disruption, it will benefit the industry. “When the RBI mandated two-factor authentication, the entire industry was up in arms. Five years down the road, as frauds fell, everyone was all praise and the same practice was adopted globally,” said a banker.
The reason why merchants are keen to store card information is that it reduces the number of steps in the transactions and thus reduces the number of transaction failures.
RBI’s mandate extends to payments using Unified Payments Interface, or UPI, as well. However, bankers point out that UPI is already a ‘token’ as the card and customer details are linked to an email-like id.