According to the recent RBI guidelines on Card Tokenisation, Payment Aggregators (PA)/ Payment Gateway (PG) and businesses cannot save their customers' card numbers and other card data on their servers.
Given below are some of the key takeaways from the guidelines:
- Card networks and card issuers are the only parties that can now save plain text cards. Businesses, Payment Gateways and Payment Aggregators are no longer allowed to store actual customer card details.
- To continue offering customers a 'saved card experience', businesses should adopt a tokenisation solution.
- The token will not be visible to the cardholder. It will be managed between the Token Requestor and Network.
- Customer consent and additional factor of authentication (AFA) is required for saving a card / creating a token. This can be clubbed with the same 2FA used during the first transaction.