To make the recordkeeping process related to securities traded in the market more secure, Sebi has asked depositories to use distributed ledger technology — popularly called blockchain technology — to record and monitor credit ratings of nonconvertible debentures and creation of charges on these securities like pledges, among others.
The distributed ledger technology has the potential to provide a more resilient system than the traditional centralised databases, the markets regulator said in a statement. It offers better protection, it said.
Only card-issuing banks and card scheme operators, such as the National Payments Corporation of India, Visa and Mastercard, would be allowed to tokenise customer card data, Reserve Bank of India is said to have indicated.
The central bank has clarified to the industry that none of the intermediaries, even licensed payment gateways and acquiring banks, would be allowed to store card data and offer tokenised files to merchants under the upcoming payment aggregator and payment gateway regulatory regime kicking in from 2022.
Under the new norms, every online merchant processing transactions for customers will only have access to a ‘tokenised’ key linked with the consumer’s cards instead of the entire card file. The meeting saw participation of members from industry pockets such as payments, banking and web-commerce.
The central bank has reiterated its stance that it only sees tokenisation as an alternative solution for merchants aiming to offer a one-click checkout facility to customers.
It has also been made clear that only card networks and issuing banks will be allowed to tokenise files corresponding to customer card details. Payment aggregators and merchants will have to devise systems to avail this tokenised link from their respective banks or networks.
Tokenisation is an encryption technology that enables card operators to mask actual details of a debit or credit card by substituting with a secure, unique digital token linked to a customer device.
Only this proxy token can be stored by merchants and aggregators to process payments to offer oneclick checkouts. Those merchants without access to tokenised links will have to ask customers to fill in the entire details of their card including the 16-digit number every time they make a payment.
The central bank’s insistence on strict card storage norms is on the back of several recent high-profile cyber attacks such as those on JusPay, Mobikwik, Big Basket, Air India and Upstox.
RBI is said to be firm on its stand on customer security where it doesn’t want entities that are not under its direct supervision to be storing card details of customers on servers.
While payment aggregators will be allowed to store card details for processing of redressals and chargebacks, the new rules will stipulate a fixed time under which this data will have to be deleted.
Industry forums, including the Payments Council of India, have suggested alternative solutions beyond encryption through tokenisation — such as secure reference on files — to minimise customer inconvenience to the central bank.
The RBI has extended the scope of tokenisation of card payments, hitherto limited to mobile phones, to all consumer devices — laptops, desktops, wearables like wristwatches & bands, and all Internet of Things devices.
Until now, RBI’s approval for tokenisation was limited to mobile phones and tablets. More devices would mean that customers can make contactless payments using their watches or do one-click payments from registered devices.
Allowing tokenisation on computers will enable users to make one-click payments after registration. It will also do away with the need to send card data over networks.