RBI Tokenization

Bad things happen when fraudsters get their hands on other people’s payment credentials. One way to prevent this is to disguise credit card numbers by turning them into randomized codes that cannot be used outside of their originating context.

This process is called tokenization, and because of new rules set by the Reserve Bank of India, it’s now mandatory for India-based merchants who want to be able to store their customers’ payment information. What are the new RBI rules for card tokenization, and how can merchants in India ensure that they are in compliance?

Credit cards are easy and convenient for ecommerce purchasing because they don’t require much. As long as the customer can provide the merchant with a card number and a few other pieces of information, the merchant can process a transaction.

The trouble is that this simplicity makes it easy for fraudsters to abuse the process. Fraudsters can steal payment credentials by eavesdropping on network traffic, hacking into merchant servers, or obtaining them from other cybercriminals on the dark web.

Tokenization has proved to be a highly effective method for keeping real credit card numbers safe from fraudsters.

Fraud has been greatly reduced in card-present environments thanks to the EMV chip, which tokenizes credit card numbers before they are transmitted to the payment terminal. Digital wallets like Apple Pay use tokenization instead of sending actual payment credentials to websites and contactless terminals. Tokenization is increasingly being used online to keep checkout processes and stored customer data secure.

The Reserve Bank of India, recognizing a good idea when they see one, has decided to make tokenization mandatory for merchants, acquiring banks, payment aggregators, gateways, and other service providers who handle credit card data. When this rule goes into effect, merchants will be required to stop storing any customer payment credentials that have not been tokenized.

What Are the New RBI Card Tokenization Rules?

Effective October 1, 2022, the only entities allowed to store the payment credentials of credit cards issued by Indian banks and processed by RBI-licensed payment service providers are issuing banks and card networks. Merchants can no longer store raw card numbers.

The RBI has handed down a number of new credit card rules lately, including new subscription rules for recurring payments. These rules only apply to merchants based in India. International merchants who do not use Indian payment processors are not obligated to comply with them.

The rules specify how tokenization is to be carried out:

  • The scope of the token should include the credit card, the merchant, and the entity requesting the token (such as a payment processor).
  • Before subjecting card data to tokenization, the customer must provide explicit consent and verify themselves with multi-factor authentication.
  • The customer should have the option to delete their tokenized card information from wherever the merchant or payment processor is storing it, if they wish.
  • The merchant should only be able to view the issuing bank, card network, and the last four digits associated with each tokenized card.

Merchants are allowed to store tokens, but only if they are PCI DSS compliant. Merchant service providers may be able to store tokens on behalf of merchants who have not yet met this requirement.

There are some limited exemptions to the new rule, which the RBI granted after the payments industry spoke up with their concerns.

The deadline has been extended for acquiring banks, who can now store card data until January 2023. They also made a concession for guest checkouts—purchases in which the customer is not required to create a user account on the merchant’s site. To allow settlement and post-transaction activities to take place, merchants and their payment service providers can store card data for up to four days or when the transaction settles, whichever comes first.

What Makes Card Tokens So Secure?

Tokenized cards can only be used with a specific merchant and customer. If there are any changes to the conditions under which the token was requested, it cannot be used to initiate a transaction.

When a fraudster intercepts a regular credit card number from (for example) a poorly-secured wireless network, they can try to use that card number anywhere, and merchants with weak anti-fraud defenses will accept it. When a fraudster obtains tokenized card data, it’s useless to them.

Even aside from the fact that the token cannot be used with a different merchant, no customer-facing checkout system will accept a token as valid payment information—the token itself is just a randomized string of letters and numbers.

Should Merchants Embrace Card Tokenization?

For merchants in India, this isn’t really a question—penalties that include restrictions on your business activities may be imposed if you aren’t in compliance.

In other regions, tokenization may be an option, not a requirement. Merchants should give it serious consideration as an anti-fraud measure, especially if it can be implemented affordably and with minimal disruptions to the customer experience.

There are three types of chargebacks, and many merchants find that true fraud is the hardest to deal with.

Merchant errors can be analyzed and corrected, friendly fraud can be prevented with better customer service and fought through the chargeback representment process, but true fraud can only be prevented ahead of time.

In a sense, tokenization is like a vaccine that gives merchants some herd immunity. Tokenizing your customers’ cards won’t prevent fraudsters from coming at you with stolen credentials they obtained elsewhere, but if enough merchants employ defenses like tokenization, it makes things a lot harder on fraudsters in general.

Conclusion

All around the world, governments and regulatory agencies are taking steps to protect consumer data and mitigate the threat of fraud. It’s not always easy for merchants to keep up with new rules and get into compliance with them on time, but it is important to do so. Aside from the fact that you can face costly penalties for ignoring them, these rules are often genuinely effective at reducing fraud and helping merchants avoid chargebacks.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: win@chargebackgurus.com

Ready to Start Reducing Chargebacks?