The Reserve Bank of India (RBI) has stepped in with a new set of guidelines to safeguard online frauds for credit and debit card transactions. Here is how it’ll work, and this is what you need to do.
The central bank is introducing a system called ‘tokenization’, which means you as a user will be able to create an alternate unique code that can replace the actual credit or debit card details while making a transaction or payment. This 16-digit code, known as token, will be unique for every credit or debit card. The idea is to prevent skimming of card data, and subsequently prevent fraudulent transactions—this can be particularly scary for debit cards, which are linked directly to your bank account.
These tokens can be used for payments for online transactions, in-app transactions, point of sale terminals, quick response (QR) code-based transactions, near field communication (NFC) and magnetic secure transmission (MST) transaction methods. Basically, whether it is shopping online, making an in-app purchase in the PUBG game that you are addicted to, making bill payments or paying for a purchase in a physical store, you will be able to generate a token that will only be saved in the payment system for the payment to be released—at no point will the system be able to read your original card details, or trace back to them at any time.
The idea is to not have you save your actual credit or debit card data in an app or e-wallet, for instance, or reveal that at a brick-and-mortar store while making a purchase.
Initially, you will be able to generate a unique token for your credit or debit card using a mobile phone or a tablet to connect with your card provider, though the service will be extended to other devices soon, says the RBI. “For the present, this facility shall be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained,” says the official circular issued by the RBI.
The RBI has made it clear that you don’t have to pay anything to get a token for your credit or debit card, and the service is free of cost. As per the guidelines, the tokenisation and de-tokenisation can be performed only by the authorised card network (such as your bank or credit card company). It is expected that credit and debit card networks such as Mastercard or Visa will work with issuing banks such as HDFC Bank, Standard Chartered Bank etc. to enable tokenization across the cards issued.
The access to the original Primary Account Number (PAN) should be feasible for the authorised card network only, and cannot be accessed by any third party. At no point can any third party also get access to your original credit or debit card details, by trying to trace the generation of the token. In case you lose the phone or tablet for instance, which was used to generate the token or save them for access, the RBI has mandated that the authorised card network to have an easy method in place to report such instances and generate new tokens instead.
The tokenization process will be slowly rolled out by banks and credit card companies, but this is surely something that could ease the fears of a lot of card holders. A lot will depend on the implementation though, which we hope is smooth and easy for users to decipher.