New Credit Card and Debit Card Rules for Online Payments from July 2022

Due to the COVID-19 pandemic, more and more individuals prefer online shopping for their everyday needs, which has tremendously increased the use of online payment methods. Thus, increasing the number of online financial frauds. Debit and Credit cards are currently the most used online payment methods in India, representing 25% to 30% of transactions. That said, it is also the most targeted payment method by fraudsters. To check out from the e-commerce websites faster, many customers prefer to save their debit card or credit card details with the merchant (e-commerce website). This data is securely stored on the merchant's server. However, even with security measures in place, your confidential data, such as credit card number, expiry date, CVV (i.e., Card Verification Value), name, etc., are exposed to a data breach. The scammers use malicious code to steal customer card credentials, which are then used to make fraudulent transactions.

The RBI has introduced several new rules to ensure cardholders a secure and smoother debit card and credit card experience. With a primary aim to prevent online frauds of debit and credit card data breaches by securing the customer card credentials, the RBI has restrained merchants and payment gateways from saving Card on File (CoF), i.e., customer card credentials on their servers and advised them to use Card on File Tokenisation (CoFT) payment method. The main objective of the RBI is to create a security framework for safer digital transactions.

The RBI had extended the deadline for CoFT by six months (i.e., 30th June 2022) in December 2021 as card issuers, card networks, and payment gateways were not fully integrated for CoFT at that time. Therefore, once the new rule is effective from 1st July 2022, e-commerce companies like Amazon, Flipkart, Big Basket, Myntra etc., and payment aggregators and payment gateways like Google Pay, CashFree, Razorpay, Paytm, etc., will no longer be permitted to store customer card credentials for faster transactions. However, for reconciliation purposes, these entities are allowed to store limited data - the last four digits of the Debit or Credit card number and card issuer's name - in compliance with the applicable standards. Only the issuing banks (the bank that issues the card) and card networks (Visa, MasterCard, Rupay, etc.) will be permitted to store customer card credentials.

As discussed above, the RBI has provided a workaround called Card on File Tokenisation (CoFT), which can be used as a payment method with explicit customer permission. Let us understand what it is and how it works.

Join Now: PersonalFN is now on Telegram. Join FREE Today to get 'Daily Wealth Letter' and Exclusive Updates on Mutual Funds

What is Card on File (CoF)?

Card on File (CoF) is nothing but customer card credentials, such as a 16-digit credit card number, expiry date, CVV, etc.

What is Tokenisation?

Tokenisation is the process of replacing sensitive data, such as bank account numbers, credit card details, etc., with a non-sensitive alternative, known as a token. It enables payments without actually disclosing the sensitive data that could potentially get exposed to a data breach.

What is De-tokenisation?

De-tokenisation is a conversion of the token back to the card credentials.

What is Card on File Tokenisation (CoFT)?

Card on File Tokenisation (CoFT) is the process of creating tokens for Card on File or customer card credentials to secure them from online frauds. The authorised card networks work as Token Service Providers (TSPs), who can offer card tokenisation services to any token requestor (merchant or payment gateway, i.e., third-party app provider). This mechanism extends to Near Field Communication (NFC), in-app payments, QR code-based payments, etc.

A customer can use any number of devices to request Tokenisation. The facility is now extended to laptops, desktops, and wearable devices, such as wristwatches and bands, Internet of Things (IoT) devices, etc., apart from mobile phones and tablets. The Token Service Provider can do the tokenisation of credit card data only with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by the card issuer (i.e., bank or any other card issuer). The RBI also states that the complete and ongoing compliance by all the entities involved with these regulations shall be the responsibility of the card networks.

The Card on File Tokenisation is considered the safest mode of card payment as the actual card details are never shared with the merchant or payment gateway, or payment aggregator. A customer does not have to pay any additional charges for this facility. One token will be limited to only one card and one merchant. However, a customer can tokenise multiple cards with the same merchant or the same card with multiple merchants. A customer will not have to remember the token.

Most importantly, this facility is not mandatory for the customers. A customer can choose whether or not he wants to tokenise his/her card. Besides, a customer can register or deregister for a particular case use. So, if you want to use Card on File Tokenisation only for in-app payments and not for QR code-based and contactless payments, you will be able to do that. Furthermore, a customer is free to set or modify his/her daily per transaction and daily transaction limits for the tokenised cards. It is advisable to delete the tokenised cards of the e-commerce websites that you do not regularly shop with. In case of a debit or credit card replacement due to any reason, such as renewal, upgrade, reissue, etc., a customer is required to create a fresh token. This is because your new card comes with a unique 16-digit number, expiry date, and CVV.

How does the Card on File Tokenisation work?

Let us understand how the Card on File Tokenisation, i.e., CoFT works with an example.

Using her mobile phone, Maithili purchases a new laptop through an e-commerce merchant, say Amazon. She uses her HDFC Bank Visa Credit Card for the payment.

A tokenisation request will be initiated from her side on the app provided by the token requester (i.e., merchant, in this case, Amazon).

Amazon will forward the request to the card network (in this case, Visa).

As we know, the card network works as a Token Service Provider (TSP), which will take consent from HDFC Bank (who is a card issuer) and then issue a token corresponding to the combination of the card, Amazon, and the device from which the request is initiated, i.e., Maithili's mobile phone.

So, Maithili makes a purchase through her credit card without disclosing her actual credit card number to the merchant, which ensures a reduced risk of a data breach.

Why is the RBI enforcing Card on File Tokenisation?

The RBI says most customers save their sensitive card data for faster checkout and many merchants force their customers to save debit or credit card credentials (Card on File). However, there have been instances where customer card credentials, i.e., Card of File, have been stolen by scammers from the merchant servers.

There are many jurisdictions where you do not require Additional Factor Authentication (AFA), such as a One-Time-Password (OTP) or Personal Identification Number (PIN), etc. Hence, the scammers can use the stolen CoF to make purchases. Such frauds can even take place in India through social engineering attacks.

Other Important Rules Debit Card and Credit Card Rules Effective From 1st July 2022:

Apart from Tokenisation, there are several other guidelines issued by the Central Bank that needs to be followed by the card issuers from 1st July 2022:

• According to new guidelines issued by the RBI, written consent will be required for all the credit card applications starting 1st July 2022.

• As per the new rules, the credit card issuer must complete the credit card closure request within 7 days of receiving the request, subject to payment of dues by the cardholder. In case the credit card issuer fails to complete the request, a late penalty of Rs 500 per day will be paid to the cardholder.

• Credit card issuers shall ensure that loans offered through Credit cards are in compliance with the instructions on loans and advances issued by the RBI from time to time.

• Credit card issuers are required to quote Annualised Percentage Rates (APR) on Credit cards for different situations such as retail purchases, balance transfers, cash advances, non-payment of the minimum amount due, late payment etc., if different. The method of calculation of APR shall be given with clear examples for better comprehension of the cardholders.

• Credit card issuers shall mention the implications of paying only 'the minimum amount due' on the monthly billing statement.

• If a credit card is not used for more than a year, the credit card issuer can close the credit card after informing the cardholder. In case of any available balance on the credit card, the issuer needs to transfer it to the cardholder's registered bank account.

• If a cardholder has received the Debit or Credit card without applying, the bank will be penalised double.

• Cardholders will be given a one-time option to change the credit card's billing cycle to their preference.

• In case of any reversed transaction, credit amount from refund failed, or similar transaction before the due date for which the cardholder has not made payment will be adjusted to the 'payment due' and reported to the cardholder.

• Credit card issuers need to obtain the cardholder's permission to adjust credit amounts beyond a cut-off of one per cent of the credit limit or Rs 5,000. Whichever is lower, arising from the refund, failed, reversed transactions or similar transactions against the credit limit for which the cardholder has already made payment. Within seven days of the credit transaction, the permission must be requested via e-mail or SMS.

• As per the new rules, credit card issuers must ensure that bills are emailed promptly to the cardholders so that they have a sufficient number of days to pay before the interest is charged.

• Credit card issuers cannot upgrade the credit cards and/or enhance the credit limits without the explicit consent of the cardholder.

• If the transaction is disputed as fraud by the cardholder, the issuer cannot levy any charges on it until the dispute is resolved.

Warm Regards,
Ketki Jadhav
Content Writer