The Reserve Bank of India has issued critical new policies to prevent online merchants, payment partners and e-commerce sites from storing customer debit and credit card information. The apex body has commissioned companies to develop a strategy for digital payment products and services with their board of directors’ approval.
What are the targeted new RBI guidelines?
When formulating the parameters of a “new product”, the central bank has said that attention should be paid to the general business strategy, the risks inherent in the product and its consistency with the regulations. In the new directive overview, payment security requirements are explicitly discussed in terms of functionality, security, and performance (FSP).
The considered angles include:
Checking the necessary measures to protect the confidentiality of customers’, data integrity and processes related to the digital products/services provided,
Availability of the necessary infrastructure with the required support of personnel, technology, etc., and
Ensuring that payment products are built securely with high performance, security and stability, and are implemented after completing the necessary FSP tests.
In short, this means that a company cannot store customer’s card data on its servers and data centres. They need to take other data security precautions and avoid data breaches. This also means that whenever customers want to complete an online transaction, they need to remember their card details or have the particulars ready to enter every time. The new rule will take effect from July 2021.
While many believe that large financial institutions may not be able to locate all of the data in the payments sector except customer cards and related data, not keeping logs will make doing business more difficult.
Why are new RBI guidelines being issued?
These changes are made because customers complained to the Reserve Bank about fraudulent online transactions and disagreements with merchants’ e-payment services.
As a result, the regulator has released new rules for online retailers, e-commerce sites and payment plug-ins, all from Amazon and Flipkart to Google Pay, Paytm and Netflix, which cannot archive customer card details.
The central bank said the purpose of preventing data transfer from third-party memory cards is to reduce the additional risk of financial fraud and theft.
New RBI guidelines pose challenges for businesses
After the RBI announcement, businesses are worried that without the card details, they will not be able to provide specific benefits, such as customer complaints or dispute resolution, delivery customer service and timely return requests.
New rules might also affect the risk of fraud. Since merchants would no longer be able to use internal input methods to protect card data, this could compromise RBI’s goal of creating a more secure electronic payment system.
How can businesses cope up?
The trade association and support group NASSCOM suggested that the RBI’s developed framework for card data storage should include security measures, reporting requirements, and internal management mechanisms rather than restricting debit and credit card data storage.
Businesses that use merchant accounts to process credit card transactions can use specific methods to protect customers’ credit card information.
Using only authorised service providers
Businesses should use a service provider to process and store credit card bills and service providers, including online SaaS providers. These service providers will need to undergo extensive testing to make sure they are worthy of trust.
Never saving electronic tracking data or card security number in any format
Although credit card information is stored for business purposes, this processing policy specifically prohibits card security codes or “data records” on the back of a credit card’s magnetic security bar.
Making sure the online storage of the credit card account is encrypted and the storage of the card is secure
There are circumstances where a business needs to store credit card numbers to keep, for example, proof of written authorisations for mail-order payments or recurring payment authorisations. If paper documents that contain credit card numbers are saved, it must be ensured that they are always locked in a secure place when not in use.
Whether the RBI’s new master directions will make payments more secure or not, they will undoubtedly make things more tedious. But ultimately, it remains incumbent on the RBI decision-makers to make things work for the people in a hassle-free and safe manner.