The Reserve Bank of India’s (RBI) new directive is signalling a wave of declined transactions for customers of financial institutions, payment aggregators (PA) and payment gateways. The new directive revolves around a way that payments are processed in India. Meaning, financial institutions as well as payment gateways are called for the making of a separate approval regarding auto renewable transitions that weigh about Rs.5,000 ($ 67) from consumers by conducting notifications, e-mandates and Additional Factors of Authentication (AFA). The ones at the receiving end of this new directive are the debit and credit card holders.

The very purpose of the new directive is to serve as risk mitigation and customer facilitation method for issuers processing such transactions should send a pre-transaction notification to the concerned customer a day prior to the original charge by SMS or email.

“As of January 1, 2022, no organization in the card transaction or payment chain should hold actual card data other than card issuers and card networks”, says RBI.

But what’s more concerning for firms like Google and PhonePe is that the new directive advises PA and merchants to not store card credentials of their customers in their database starting next year. Big techs and merchants in the financial space have not complied with RBI’s new directive but have implemented alternatives for their customers for the time being.

PhonePe launches Tokenization
PhonePe, a digital payment firm, has launched PhonePe SafeCard, a tokenization solution for online debit and credit card transactions. By allowing payment providers to save cards using tokens, PhonePe's SafeCard will make recurring payments convenient and secure. All major card networks, including Mastercard, Rupay, and Visa, are supported by this solution.

Merchant partners can create, process, delete, and modify tokens for online card payments with the consent of customers, according to the company. By eliminating the need to link with various card networks, merchant partners will save time and labor while also ensuring full compliance with RBI requirements.

"Crucially, PhonePe SafeCard ensures that the enhanced protection has no impact on the user experience at all. We're also working closely with our huge merchant base to get them on board with this platform”, says Ankit Gaur, Director, Online Business, PhonePe.

How Tokenization Can Make Safer Transactions
RBI’s explanation on tokenization refers to the replacement of card details with an alternative code known as a 'token,' which is unique for a combination of card, token requestor (the entity that accepts a customer's request for tokenization of a card and passes it on to the card network to issue a token), and device.

Not only does it lower the risk of fraud caused by sharing credit card information, it can also be used to make contactless card transactions and QR code payments at point-of-sale (PoS) terminals.

The RBI has set its timeline for this case as well which starts from January 1, 2022, the extension of tokenization of Card-on-File (CoF) transactions, in which merchants used to keep card details, are advised not to maintain card details in their systems. A cardholder authorizes a merchant to keep his or her Mastercard or Visa payment details and bill the stored account in a CoF transaction. Card information is frequently stored by e-commerce corporations, airlines, and supermarket chains.

All it takes for tokenization is that the cardholder can place a request through the token requestor's app. The token requestor will send the request to the card network, which will issue a token corresponding to the card, the token requestor, and the device, with the card issuer's permission.

According to the RBI, tokenization is now possible through mobile phones or tablets for all use cases and channels, including contactless card transactions, QR code payments, and apps.

Token Service Providers (TSPs) like Visa and MasterCard are already creating tokens and supplying them to mobile payment and e-commerce platforms enabling them to use it in place of customer's credit card information during transactions.

When customers submit their credit card information into a virtual wallet like Google Pay or PhonePe, these platforms request a token from one of these TSPs. The TSPs will initially ask the customer's bank to verify the information. A code is generated and transmitted to the user's device once the data has been confirmed. Once generated, the unique token is permanently attached to the customer's device and cannot be changed. As a result, whenever a customer uses their smartphone to make a payment, the platform will be able to authorize the transaction merely by sharing the token, rather than revealing the consumer's genuine details. Tokens can be created to protect payments in mobile wallets as well as physical and online retailers such as Amazon.

Tokens Can Help Track Transactions
According to the RBI, organizations can save limited data for transaction tracking and reconciliation in accordance with applicable standards such as the last four digits of the actual card number and the name of the card issuer. Authorized card networks maintain actual card data, tokens, and other essential elements in a secure mode. The card number or any other card information cannot be stored by the token requestor. Card networks must additionally certify the token requestor's security in accordance with worldwide best practices or globally acknowledged standards.

Google will Save Card Details with Customer's Authorization
Google has advised consumers that it would no longer be able to keep customer card details such as card number and expiry date in the present format as of January 1, 2022. Since many users have a card number saved to their Google Work or Google Play accounts to make monthly payments for subscription-based services, the move is important.

Google, on the other hand, claims that customers can save card details in a way that complies with RBI requirements and keeps sensitive card details private with the user's permission.

According to Google, users will have to re-enter their card details and make at least one purchase or manual payment before the end of 2021 in order to continue making payments with the same Visa or Mastercard issued debit or credit card beyond December 31, 2021.

"If you don't do so, your card will disappear from your account and you'll have to re-enter your card data to use it again”, warns the tech giant.