Card tokenisation last date put off by 6 mths
TIMES NEWS NETWORK
Mumbai:24.12.2021
E-commerce companies and other establishments that accept payment online will now have six more months before they have to delete credit card data from their systems. The RBI on Thursday said it was extending by six months its deadline for nonbank payment aggregators and merchants to purge card data they have stored.
The RBI also allowed the payment industry to devise new methods to handle recurring payments and equated monthly instalment (EMI) payments without storing cards. On March 31, the RBI had asked all non-bank payment system participants and merchants to purge card data from their systems by December 31, 2021.
Online billers, including e- commerce companies, ticketing services and other providers, have been storing credit card data in their customers’ accounts so that customers do not have to key in card data each time they make payments.
No KYC update? A/cs will be frozen
Many customers of banks and other financial services who have not updated their identity and address proof documents may find their accounts frozen in the new year. The reason: On December 31, 2021, the RBI’s freeze on action by banks against customers who have not complied with KYC norms will come to an end. P 19
Token data, if breached, can’t be used by hackers
The RBI does not want entities it does not regulate to store card information as some merchants store millions of card information and a breach could result in card information being exposed.
According to central banking sources, the number of malware attacks on business establishments is on the rise.
To ensure that card data is not put at risk and at the same time ensure that the customer is not inconvenienced, the RBI has come out with tokenisation guidelines.
Here the customer authorises the bank or payment network (Visa, Mastercard, Rupay) to issue a token to the merchant, which corresponds to their account. The merchant then uses the token in place of the card for accepting payments and processing refunds.
If the merchant’s servers are breached and token data is stolen, it cannot be used by the hacker.
“We would like to thank RBI for giving industry this much needed time to scale up its efforts and work towards achieving the true intent of this guideline. PCI will work with the industry and RBI to come up with solutions to handle any use cases such as refunds and post-transaction activity, including chargeback handling, dispute resolution, reward/loyalty programme that currently requires the storage of card data by entities other than card issuers and card networks,” said Vishwas Patel, director Infibeam Avenues and chairman of the Payments Council of India.
“As an industry, we are firmly committed to achieving the Reserve Bank of India (RBI) vision of enhanced customer protection of customer card credentials and have all embarked on that journey,” said Srinivasu MN, founder, Billdesk and co-chair of the BBPS committee at PCI.
He said the industry will use the next six months to implement appropriate uniform solutions for seamless migration for cardholders as well as ensuring adequate security for storage.
No comments:
Post a Comment