No need to enter your full card details on e-tail sites – Times of India
[ad_1]
MUMBAI: Customers will not have to input their credit card details on e-commerce sites they frequent even after the RBI rule barring storage of card data by merchants kicks in from January 1, 2022. Fast checkouts can continue with the RBI permitting card-on-file tokenisation. This allows customers to ask their banks to issue tokens to the online merchant in place of card details. This will enable subsequent payments without the card details.
Earlier, the RBI had allowed tokenisation for devices. Customers could register their NFC device — either a phone or a watch — with their card-issuing bank. Then, the card-issuing bank would provide the application on the device a token that is linked to the customer’s card number. As a result, every time the customer does a tap-to-pay transaction using the phone or watch, the token number is passed to the bank, which approves the transaction after recognising the device and the token.
If a fraudster gets hold of the token details, they cannot be used for payment as it would not be coming from the registered device. Also, tokenisation would still require two-factor authentication.
Even if hackers breach an e-commerce site, all they can get is tokens which cannot be used by anyone else. As against this, a breach today will provide them with the full card details that are accepted for payment in some countries without an OTP.
“The device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well,” the RBI said. What this means is that while earlier customers could get tokens for payments using applications such as Samsung Pay, they can now ask their banks to issue tokens to e-commerce sites as well.
The central bank has reiterated that with effect from January 1, no entity in the card transaction/payment chain, other than the card-issuers and card networks, can store card data. “Any such data stored previously shall be purged. For transaction tracking and reconciliation purposes, entities can store limited data — the last four digits of the card number and card-issuer’s name — in compliance with the applicable standards,” the RBI said.
“Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of the RBI to deepen digital payments in India and make such payments safe and efficient shall continue,” the central bank said in its circular.
Some IT experts, however, said that if crores of debit cards have to be tokenised, it would put a lot of burden on bank infrastructure.
Earlier, the RBI had allowed tokenisation for devices. Customers could register their NFC device — either a phone or a watch — with their card-issuing bank. Then, the card-issuing bank would provide the application on the device a token that is linked to the customer’s card number. As a result, every time the customer does a tap-to-pay transaction using the phone or watch, the token number is passed to the bank, which approves the transaction after recognising the device and the token.
If a fraudster gets hold of the token details, they cannot be used for payment as it would not be coming from the registered device. Also, tokenisation would still require two-factor authentication.
Even if hackers breach an e-commerce site, all they can get is tokens which cannot be used by anyone else. As against this, a breach today will provide them with the full card details that are accepted for payment in some countries without an OTP.
“The device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well,” the RBI said. What this means is that while earlier customers could get tokens for payments using applications such as Samsung Pay, they can now ask their banks to issue tokens to e-commerce sites as well.
The central bank has reiterated that with effect from January 1, no entity in the card transaction/payment chain, other than the card-issuers and card networks, can store card data. “Any such data stored previously shall be purged. For transaction tracking and reconciliation purposes, entities can store limited data — the last four digits of the card number and card-issuer’s name — in compliance with the applicable standards,” the RBI said.
“Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of the RBI to deepen digital payments in India and make such payments safe and efficient shall continue,” the central bank said in its circular.
Some IT experts, however, said that if crores of debit cards have to be tokenised, it would put a lot of burden on bank infrastructure.
[ad_2]
Source link
