This comes after RBI’s automatic debit policy, which took effect in October, restricting all automatic recurring payment services, including utility bills, phone top-ups, DTH, and even OTT services like Netflix, Amazon. Prime, among others.

Now the central bank has mandated all traders to use crypto tokens to transact. In just a few short months, paying by credit or debit card on e-commerce sites will likely be very different, sending you on new loops to pay. Here we explain what the mandate means to you.

What does RBI say?

RBI wants all merchants and e-commerce companies to delete all their customers’ saved card information available on their servers and push for the adoption of card-on-file (CoF) tokenization as an alternative to card storage. It applies to national online purchases.

According to the central bank, all traders must use crypto tokens for transactions, and this should be achieved through tokenization.

For the uninitiated, tokenization refers to replacing credit and debit card details with an alternate code called a “token.” For example, if a credit / debit card is used in a point of sale (POS) or e-commerce marketplace, the credit card number is transferred to the tokenization system which generates 16 random characters, also called ‘Token’, to replace the original credit card number. Now the system returns the new 16-digit random characters to the e-commerce site to replace the customer’s credit card number in the system.

For example, the card number (example): 1234 5678 1234 5678, will be replaced by the token number say (just an example) 4321 1234 5678 1234. This number is a unique combination of card, token requester (the entity which accepts a request from the customer for the tokenization of a card and forwards it to the card network to issue a token) and the device, according to the RBI.

It should be noted that tokenization has been around for some time as a way to separate data in ecosystems and databases. This reduces the risk of fraud resulting from the sharing of card details. Interestingly, tokenization is already being used to perform contactless card transactions at point of sale (PoS) terminals and QR code payments.

(To learn more about tokenization, take a quick detour through our explanation of RBI’s tokenization plans and go back.)

RBI’s mandate made it clear that merchants and businesses will need to remove this information from their databases and replace it with tokenization, which will replace card details with tokens.

Each card user will have to tokenize the card with a merchant or service provider by launching a request on the application provided by the token requester.

What are the new standards?

According to the rules, card service providers must notify customers five days before the payment date. The debit will only be authorized after payment has been approved by the customer.

Each user who opts for automatic payments will receive a notification five days before which will include the name of the merchant, the amount, the due date, the reference number, followed by a link to a page that will allow you to view, modify or cancel payment.

Users will have the option to opt out of the transaction or mandate via the link. However, if you choose to ignore the notification, the transaction will not be completed. It should be noted that this is only for recurring payments below Rs 5,000.

For recurring payments over Rs 5,000, the new mandate requires banks to send a one-time password (OTP) to customers. And for all subsequent transactions within this threshold, the bank will also have to send a pre-direct debit notification five days before the scheduled direct debit. The debit will only be authorized after payment has been approved by the customer.

Meanwhile, automatic debit accounts registered for mutual funds, SIPs, assimilated monthly payments for loans will not be impacted by these new rules.

Impact on customers

At least 5 million customers, who have stored their card details for online transactions, could be affected if online merchants are unable to implement the changes in their backend. Merchants, banks, card providers and payment gateways said there was not enough time to make the backend changes to the measure announced in September to protect cardholders from fraud .

E-commerce platforms, online service providers and small traders could be particularly affected. Now, with the latest expansion, the RBI expects the systems to be ready for a seamless launch in six months.

Additionally, 90% of banks are token ready on the Visa platform, but Mastercard has yet to catch up. The RBI had banned Mastercard from issuing new cards on July 14 this year for failing to meet data location requirements. Even though the conversion from CoF to tokenized number is underway, the system is not designed to process tokens because traders are not ready on their end.

“If implemented in the current state of readiness, the RBI’s new mandate could lead to major disruption and loss of revenue, especially for traders,” said the Alliance of Digital India Foundation ( ADIF) in a joint letter to the RBI.