In today’s Finshots, we explain the new regulations on debit and credit cards and how it impacts everybody in the ecosystem


Policy

The Story

A couple of days ago, I received a message from my bank that sounded a bit alarming. It made a mention of how all my card details stored across online portals will automatically be deleted by 1 January 2022. Basically implying that the next time I want to make an online payment using a debit or credit card, then I’ll have to reenter the details once again.

And it’s not just banks telling me this is going to happen. Even apps like Swiggy and Uber have been sending push notifications with a similar warning.

So, what’s happening here and why is everybody telling you the same thing?

Well, you’ll have to thank the RBI for that. Back in March 2020, the RBI wanted to beef up security. It didn’t think saving card details on merchant sites was necessarily a prudent thing to do. And considering we’ve had numerous reports of security breaches and card theft across these merchant websites, you could see where they were coming from. So, after a few tweaks and delays, the Reserve Bank of India finally asked all merchant websites to delete sensitive card details saved on their platforms by 31 December 2021.

How does this change things, you ask?

Well, to understand this bit, you’ll probably need a rundown on how things work right now. As it stands, most people have their card details saved on platforms because it’s a pain to enter the 16-digit card number every time. And once you do this, all you need is the 3-digit CVV and the OTP and you’re good to go. However, if you have the card details wiped out, then you’ll have to start afresh every time — Key in the 16 digits, enter your name, fill out the expiry date, CVV and the OTP each time you want to make a transaction.

It’s a logistical nightmare. And no, the RBI won’t ask you to renter your details every single time you make a transaction as 2022 beckons. Instead, you can opt to tokenize your card.

Think of it as a unique ID for each of your cards. It’s so unique that you will have a separate ID (token) for every merchant. Even if you’re using the same card. So if you rely on a debit card for all transactions across Zomato and Swiggy, for instance, you’ll get one token for Swiggy, and another token for Zomato. Also, the merchant won’t ever know the actual card number. Meaning, if they don’t know it themselves, then it’s extremely hard for malicious entities to get their hands on these sensitive details. It’s called card-on-file-tokenisation (CoFT).

So here’s what will happen when you hit the “buy” button on 1 January. The merchant will first ask you to enter your card details and check if you want to tokenise your card. If you opt to do so, the merchant will forward the details to your card network like Visa. The network then creates a unique token for your card and you can save the card on the website thanks to this identifier. After that, everything will be just like it used to be. You’ll have to input the CVV, the OTP and you’re done with the transaction.

It seems pretty simple and probably useful too. However, there are some short term concerns.

Take for instance the estimates of The Alliance of Digital India Foundation (ADIF). The think tank for digital startups formed by companies like Bharat Matrimony and Paytm believes that merchants could (temporarily?) lose anywhere between 20–40% of revenues if banks and card networks aren’t fully prepared for tokenisation,

Elsewhere, IT body Nasscom has pointed out another issue. Merchants need the first few digits of the card for identifying the card network, the card issuer, and the card type. This is how they process EMIs and refunds. If they can’t store data anymore, it could take longer to process these things. So it’s still not quite clear how these things will work in the tokenisation era.

Meaning, while this could be a godsend in many ways, we still may have to iron out a few things before the tokenisation gambit takes off in a massive way.

Until then…

Don't forget to share this article on WhatsApp, LinkedIn and Twitter

Also, at Finshots we have strived to keep the newsletter free for everyone. And we’ve managed to do it in large parts thanks to Ditto — our insurance advisory service where we simplify health and term insurance for the masses. So if you want to keep supporting us, please check out the website and maybe tell your friends about it too. It will go a long way in keeping the lights on here :)