Introduction

Banks are increasingly becoming targets for fraud, necessitating stronger measures to protect customers. The Reserve Bank of India (RBI) has stepped up vigilance by introducing new tokenisation guidelines specifically for credit and debit cards. This article explores the significance of tokenisation and highlights the recent RBI guidelines aimed at enhancing security and compliance in digital transactions.

What is Tokenisation?

Tokenisation is a method of replacing sensitive data with a non-sensitive equivalent, known as a token. This process ensures that the original sensitive data is not processed, stored, or transmitted, thereby reducing the risk of data breaches and fraud. In the context of credit card transactions, certificates of file (CoF) tokenisation involves replacing a customer's card details with unique tokens, which can be used for future transactions, improving user experience while ensuring data safety.

Traditionally, customers used to swipe their cards or enter card details during transactions. However, storing such information on merchant servers poses significant cyber risks. The RBI has now mandated that merchants should no longer store card details on their servers from January 1st, 2022. Instead, card details will be tokenised, safeguarding both customer data and the merchant's operations.

Background of RBI's Tokenisation Guidelines

Signaling a significant shift in the fintech landscape, the RBI introduced tokenisation in 2019 through a circular. This guideline permitted card network providers to carry out tokenisation via mobile apps, QR codes, and Near Field Communication (NFC) technology. The RBI further expanded this policy in 2020 by prohibiting authorised Payment Aggregators (PAs) and merchants from storing customer card credentials on their servers.

Notably, till August 2022, the RBI had not proposed a solution for merchants to offer saved card payments (CoF) due to data storage concerns. The September 2021 circular addressed this gap by extending device-based tokenisation to CoF tokenisation, ensuring that customers could enjoy the convenience of saved cards without compromising data security.

The Impact on Consumers and Merchants

The RBI's new guidelines are consumer-centric, prioritising end-user safety. By prohibiting the storage of card details, the RBI ensures that even if a merchant's database is compromised, customer information remains protected. However, the RBI aligns this measure with the convenience of saved cards, allowing customers to continue enjoying fast-checkout processes.

For e-commerce companies, the saved cards feature significantly boosts conversion rates, as it encourages customers to complete purchases. By June 2022, online merchants must either delete users' saved cards or allow them to save tokenised versions. This process ensures that merchants have the necessary consent and authentication mechanisms in place, enhancing data security and customer trust.

Conclusion

The RBI's tokenisation guidelines mark a critical step towards enhancing digital transaction security in India. By leveraging tokenisation, both consumers and merchants can enjoy efficient, secure transactions without the risk of sensitive data breaches. As the fintech landscape continues to evolve, adherence to these guidelines will remain crucial for maintaining robust digital payment systems.