Online payment rules are expected to change from January 1. Everything you need to know


With the increase in digital penetration in the country, more and more people are using online payments to order food, make purchases or book taxis. But the digital world is full of threats from cybercriminals who are always waiting to gain access to user data.

To provide better security to people and make online payments safer, the Reserve Bank of India (RBI) has required all merchants and payment gateways to remove sensitive customer information and debit and credit cards that are recorded on their side.

The new rules will come into effect from January 1.

What does it mean?

After the RBI order, merchants and payment gateways will need to delete all information stored on their servers. This means that a user will need to enter full card details to make payments on merchant sites.

Banks have started notifying their customers of the changes that come into effect. One of the major private banks, HDFC, sent text messages to its customers asking them to enter their full card details or opt for tokenization.

What is tokenization?

Under the current system, transaction execution is based on the correct values ​​of the 16-digit card number, card expiration date, CVV and one-time password or OTP (in some cases , the transaction PIN as well). Tokenization refers to the replacement of the actual card number with an alternate code, called “tokens”.

It is unique for a combination of card, token requester (i.e. the entity that accepts the customer’s request for tokenization of a card and passes it to the card network to issue a corresponding token) and device (hereinafter referred to as “identified device”).

How is tokenization more secure?

According to RBI, a token card transaction is considered more secure because the actual card details are not shared with the merchant while the transaction is being processed.

He further stated that the actual card data, token and other relevant details are stored in secure mode by the authorized card networks. The token requester cannot store the Master Account Number (PAN), i.e. card number or any other card details. Card networks are also mandated to get the token applicant certified for safety and security that conforms to international best practices/globally accepted standards.

The central bank also said that the conversion of the token into actual card details is known as detokenization. He added that the customer does not have to pay any fees to avail this service.

What will change from January 1?

From January, when you make the first payment to a merchant, you will need to give them your consent with an additional authentication factor (AFA). Once done, you will complete the payment by entering the CVV and OTP of your card.

Previous From January 01, 2022, the online payment rules will change; Tokenized debit and credit card transactions
Next Online payment service accessible to more than 10 million citizens