The Reserve Bank of India (RBI) extended its new “tokenisation” system for six months, on December 23, 2021, i.e., June 30, 2022. Under this change, the RBI has brought in a regulation for online merchants and financial payments companies like Amazon, Netflix etc., asking them to delete their customers’ personal data, which they have stored.
This is so that a new system of “tokenisation” can be brought about. This change has been brought about by the RBI to avoid the unauthorised transmission of data.
Although the major banking companies were willingly ready to switch this change, the other stakeholders, such as merchants and online, financial payments companies, denied it for a while.
They told the RBI that they are not yet ready to accept and adopt this change. They and asked for more time to implement this new norm. And, that is why, the RBI has put a stay on implementing the new rules, for now.
In March 2020, the RBI came up with a plan to avoid the leakages of data and boost security. It issued a guideline asking the merchants to delete the saved data records of debit and credit cards of their customers.
It said that they are not allowed to save this information on their websites. In September 2021, the RBI issued fresh guidelines, reminding them again, to comply with the regulations by the end of the year.
It offered them the option to use the method of tokenisation.
The major reason to bring such change is to protect valuable, personal data from being breached. India is not new to data breaches; it ranked second, in data breaches, globally in the year 2018.
India is one of the fastest-growing economies, where data breaches have become quite frequent in the last five years. India’s largest data breach in the banking sector occurred in October 2016.
It was the time when the Hitachi Payment Services Pvt. Ltd. informed everyone about a malware that affected approximately 3.2 million debit cards. They were not sure about how much data was actually compromised.
The NPCI (National Payments Corporation of India) reported that this data breach caused a loss of approximately ₹13 million to the banking sector alone. Not only this, in the year 2019, the credit and debit card records of nearly 13 lakh (1.3 million) people were sold on the dark web.
In recent events, Air India also faced a security transgression, where about 4.5 million customers’ personal data was leaked, on May 21, 2021.
Tokenisation is simply a process in which the sensitive data is converted into an encrypted form, having actual values being replaced by some token values.
These token values are unique identification terms that get converted through random data mechanisms. The token values do not possess any meaning or value on their own.
To date, whenever a customer uses their card (debit or credit) for a transaction purpose, they have to fill up the details like the 16-digit card number, the expiry month and year, the CVV (card verification value), along with an OTP (one-time pin or password).
However, customers have to enter these details each and every time they want to make a payment or a transaction. That is why, just for an expedited and easy transaction, the customer usually stores their card data on frequently used sites such as Amazon, Netflix, and many more.
So, here, the “tokenisation” system plays a key role. Once this regulation comes into effect, the customer, while paying, would need to give consent to the merchant to tokenise the card and they would have to approve transactions through CVV and OTP.
Through the tokenisation system, the card data entered by the customer will be replaced with some random token value, keeping all the data in encrypted form.
This data will not be stored by any online merchants or financial payments companies and will only be in the records of banks and card companies.