Don’t miss the latest developments in business and finance.

Tokenisation to interest rates: All about RBI's new credit card rules

OTP-based consent requirement for delayed activation will safeguard users against false applications, unwanted cards

Credit card, security, cyber security
Photo: Shutterstock
Bindisha Sarang Mumbai
6 min read Last Updated : Oct 02 2022 | 8:23 PM IST
The Reserve Bank of India’s (RBI) new rules for credit and debit cards came into effect from October 1. These include tokenisation, one-time password (OTP) for activation after 30 days, written permission for enhancement of credit limit, and greater clarity on interest calculation.

Tokenisation for greater security

Tokenisation means replacing actual card details (such as the 16-digit card number, expiry date, etc) in digital transactions with an alternative code called the token. Merchant sites store customers’ card data so that the latter don’t have to input these details every time they transact. But this comes with the risk of merchants’ sites being hacked and data getting stolen.

Tokens protect customers by substituting their data with a series of algorithmically generated numbers and alphabets. “The payee’s sensitive data is masked and assigned a token,” says Gurjodhpal Singh, chief executive officer (CEO), Tide India, which helps merchants adopt digital payment systems.

According to RBI guidelines, entities involved in card transactions (other than card issuers and card networks) can’t store any card-related customer information from October 1. The user will, therefore, have to tokenise his card with the merchants he uses to continue to enjoy a swift transaction experience.

Tokenisation, however, is not mandatory. “A user who chooses not to tokenise his card will have to input his card details for every transaction,” says Raj Khosla, founder and managing director (MD), MyMoneyMantra, an online financial marketplace.

Most equated monthly instalments (EMIs) and systematic investment plans (SIPs) are linked to bank accounts and won’t be impacted. But in the case of customers who make these payments via cards, they won’t go through without tokenisation.

This initiative will usher in greater security. “It will reduce the misuse of actual cardholder information as the dealer or merchant will only have access to a proxy of the card details rather than the cardholder’s real data,” says Avinash Godkhindi, MD and CEO, Zaggle, a fin tech company. Frauds arising from stealing of card data are expected to decline over the long term.  

However, customers must not let their guard down even after they begin to use card tokens. “Tokenisation won’t eliminate all security risks though it will reduce the potential for data breach significantly, especially from third-party sites and apps,” says Adhil Shetty, CEO, Bankbazaar.  

Customers will have to request the card issuer for de-tokenisation (cancellation of the token) when they wish to unsubscribe from an app. Says Gaurav Chopra, founder and CEO, IndiaLends, an online provider of financial products, “Make sure you understand the process of de-tokenisation when tokenising your card.”

OTP for delayed activation

A new RBI rule says if a person hasn’t activated a card for more than 30 days following the date of issuance, the issuer must obtain OTP (one time password)-based consent to activate it.

If a customer rejects the request to activate a card, the issuer must cancel the account within seven working days without levying a charge. “This directive will protect customers from falling victim to fake applications,” says Chopra.

If a card that a customer did not need was hard sold to him, he will now have an additional opportunity to get rid of it. “This rule will protect cardholders from unnecessary fees and charges on unactivated cards,” says Sachin Vasudeva, director and head of cards, Paisabazaar.

Note that even if you activate a card within the stipulated time limit, it won’t remain active unless you use it regularly. According to an RBI master circular, cards that have not been used for more than one year had to be deactivated in August 2022. As these norms took effect, the number of active credit cards dropped by 2.3 million in August. Hence, use all your cards occasionally to avoid deactivation.

Written permission for limit enhancement From October 1, credit card issuers can’t increase the credit limit without written permission from the customer.

Banks determine credit limits through underwriting, a process that includes considering factors such as income level, credit score, debt-to-income ratio, and history of credit card payments. They revise these limits from time to time.

Customers must stick to credit limits that are commensurate with their repayment capacity. “Giving customers the option to decide if they want their credit limit enhanced means they can now control access to the amount of credit they would like to have. A higher credit limit can act as an incentive to spend more. Especially when there are add-on cards, tracking expenses becomes difficult,” says Shetty. 

The combined burden of a higher-than-expected debt, interest, and penalties can lead to a debt trap.

At the same time, it may be necessary to enhance the credit limit as usage grows. It is prudent to not use more than 40 per cent of the credit limit on a card, or else you will be deemed to be credit hungry and your credit score could get affected.

Transparency in interest calculation

The terms and conditions for paying credit card dues, which include the minimum amount due, must be specified. According to the RBI, unpaid levies, taxes, and other fees “shall not be capitalised for the purpose of charging or compounding interest”. 
Says Vasudeva: “Currently, all these levies are also capitalised for compounding of interest so the dues may increase even if the cardholder pays the minimum due, as the payment made would not be enough to cover interest and other levies.”

Understanding how a credit card works can help customers avoid a debt trap. “A clear example that illustrates how interest and penalties are calculated will help users understand the exact impact of a default,” says Shetty.

Tokenising your card is simple
  • When you make a purchase on an e-commerce platform, at the time of checkout you will see an option to ‘secure your card according to RBI guidelines’ 
  • When you opt for it, your card will be tokenised and a secure code will be stored in the merchant’s database in place of your card details 
  • If you don’t opt for it, you will have to enter all your card details every time you transact on the website 
  • Tokens needed to be generated once on every merchant website   
  • But you don’t need to remember these codes as they will be stored on the platform
Source: PaisaBazaar

Topics :Credit cardsRBIFinancial planningDebit cards