RBI tweaks norms to ensure card data security


With the growth of technology, digital payments have risen dramatically during the pandemic. However, such improvements raise the risk of fraud and other security concerns.

To enable the creation of a strong and thriving payments sector ecosystem, RBI pursues the slogan of “safe, secure, simple, and fast” when it comes to digital payments.

Fraud and security have become a major concern as an increasing number of Indians go online and use digital payments as their primary method of transacting.

To make the payment environment safe for customers, the RBI has taken many efforts to mitigate these types of risks and hazards. In addition, the RBI published a circular on September 7, 2021, stating that with effect from January 1, 2022, no entity in the card transaction or payment chain, other than card issuers and/or card networks, would be able to keep the real card data. Any previously stored data will be purged

RBI added that entities can store restricted data such as the last four digits of the actual card number and the card issuer’s name – in line with the applicable standards for transaction tracking or reconciliation purposes.

Rameesh Kailasam, President and CEO of Indiatech.org. said that RBI has extended tokenization to numerous electronic devices now, which was previously limited to mobile phones and tablets. With this RBI circular, customers would no longer be required to enter card details for every transaction under the tokenization arrangement, while worries about the security of digital payments will be addressed as well.

Tokenization is the process of replacing a card’s original payment credential with an anonymous set of characters. Instead of a card number, an irreversible token reference is utilized, which is protected by an advanced algorithm and a matching expiry date.

However, some experts argue that one of the methods for limiting card-on-file storage, which effectively forbids merchants and payment aggregators from holding consumer card details beginning December 31, 2021, is excessive and disproportionate to these goals.

Gulshan Rai, the former National Cyber Security Coordinator in the Office of the Prime Minister of India, claimed that this law will not solve the entire (stated) purpose of data security for consumers and that a larger conversation is required. The consumer’s convenience must be prioritized above everything else. We need a solution that strikes a balance between the four principles of safety, simplicity, security, and speed (for overall convenience). Integrity, authenticity, non-repudiation, and data and asset security are critical, Rai said during a CII webcast.

He went on to explain that no system is completely secure, and questioned the need to overcomplicate things. When PCI DSS requirements are implemented and best practices are followed, fraud is decreased. These are the worldwide, multinational, and consistent standards. We cannot forge our own path. 

According to industry experts, India’s digital payments market would increase to more than 300 percent of its present size by 2025, thanks to a slew of encouraging initiatives like Digital India and the Digidhan Mission, as well as merchant digitization. 

Follow and connect with us on FacebookLinkedIn & Twitter


Please enter your comment!
Please enter your name here