Indian online merchants cannot store credit card information from 2022

This is actually a good thing. Think of it like Apple&#x27;s email masking service - Merchants can only store a tokenized version of your credit card instead of the real card details. I say this is a good thing after having worked with many E-Commerce shops in India as a consultant. Most of them barely know a thing about security, let alone about PCI DSS compliance.<p>I have worked with shops that stored the entire credit card number in PLAIN TEXT!. Not just credit cards, even their users&#x27; passwords. This also explains why many of them got and still get hacked from time to time. Even credit card processors got hacked due to this. Lot of shitty ones in the Indian market actually.<p>The root cause of this, not to cause language flame wars here, but is most of the shops use script kiddos with just basic PHP knowledge. Bare minimum, they&#x27;re recent fresh college grads who just know how to consume data from a form using PHP using GET and POST, that&#x27;s it. Most of the code I&#x27;ve worked with just consumes this directly instead of stripping&#x2F;processing it and end up introducing SQL injection attacks. Atleast, if they used a framework, this would be provided by default for free, but many of the developers hardly know about even MVC.<p>(As an aside) - As a personal mission, I started touring around the country teaching college kids for free about basics of web development, security, etc. But, still, I have a long way to go.<p>Well folks, that&#x27;s it for today&#x27;s note on why this was a good move. Have a nice day!<p>Edit: Some of the recent hacks that were not made public widescale like they should&#x27;ve been:<p>1. Domino&#x27;s Pizza India (Yes, the international pizza chain)<p>2. BigBasket (Largest online grocery ordering App)<p>3. PayTm (One of the largest, if not the largest digital payments app in India)

The real story is far less sensationalist than the title on HN, &quot;Indian online merchants cannot store credit card information from 2022&quot;.<p>Reading through the actual notification titled &quot;Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services&quot;, it is clear that the directive is a well deserved push away from Card on File (CoF) where the actual card details are stored by merchants, towards CoFT which is a lot less vulnerable. In fact this is exactly what Apple Pay, Google Pay, and several others are already doing worldwide.

Kudos to Indian govt, this should be the default for any e-commerce websites. I have to resort to PayPal to avoid my credit card being stored in the e-commerce merchant sites but some of sites do not support PayPal. It seems that Amazon somehow would not even allow me to delete my old and expired credit card from my account.

Is the RBI deliberately trying to handicap credit cards in India? The decision to make recurring payments impossible, followed by having to enter card information every time I do an online transaction is making for a very frustrating experience.<p>The justification for these decisions is always &quot;consumer interest&quot; but how is making consumers jump through hoops to do transact online in consumer interest? I wish the industry was more co-ordinated in lobbying against these crazy policies<p>Edit: A couple of replies below that say they don&#x27;t mind authorizing subscriptions&#x2F;recurring charges every time. I respect that view but I think people underestimate how much friction it adds if a business needs to ask your for permission every time to renew. Consumers are forgetful. They may not be available to authorize a payment when it&#x27;s time to renew. Subscriptions reduce transaction costs, give businesses a predictable stream of income and allow consumers continued access to services without having to remember to renew it.<p>If you don&#x27;t believe me, just look at the data and anecdotes posted by tech journalists and software devs on twitter - it&#x27;s a shitshow.<p>If a businesses make cancellation hard, the right policy would have been to allow consumers to &quot;stop&quot; charge from the card issuer&#x27;s website or app - not ask consumers to approve a charge everytime it happens.

Something I learned in college - not all countries have the same laws as the US where it&#x27;s easy to dispute a charge and the burden of proof is with the merchant.<p>If India is one of those places where the burden of proof is on the customer, and it&#x27;s difficult to dispute charges, it makes sense to tokenize things.

I see the US Model as &quot;Optimistic&quot;. Let the transactions through and fight back fraud with a strong chargeback mechanism.<p>Whereas the Indian Model is &quot;Pessimistic&quot;. Put in as much checks as possible to reduce the rate of fraud before the transaction has even completed.<p>Thoughts?

Great, I&#x27;d also like if the merchants were forced to not message via WhatsApp; From couriers to securities every business in India expects that you have WhatsApp and are willing to communicate with them through it.

So, in the early days of online retail, I built shopping carts that stored credit card numbers in the business&#x27;s database and connected directly with a credit card gateway (not a provider like Stripe). By around 2006 it became clear that this was insanely dangerous to do. Every merchant could not be storing a database of their customers&#x27; credit card numbers. I don&#x27;t know if it&#x27;s actually illegal to do online card processing this way in the US now, but no card company would work with you if you did.<p>So my takeaway from this is that, the fact that card companies are still accepting &quot;card not present&quot; style transactions from online retailers in India means they have been willing up to this point to tolerate a large amount of fraud and hacking in order to tap the market. The logical next step for them is to limit the number of data sources storing the card numbers and customer data themselves. Whether this comes in the form of a government decree or the slow moving of the card companies away from accepting these kinds of transactions, the change is inevitable. Local hosting and locally managed databases are no place for credit card numbers to be stored.

The sooner we move everything to one-time tokens (apart from subscriptions) the better. It&#x27;s absolutely a ridiculous security model we have in place at the moment. I pay absolutely everything I can with Apple Pay now. I also would like to be able to use one-time disposable cards (without an additional fee) in Europe (ala privacy.com) but I have yet to find such a service.

I&#x27;m interested to know what level of &quot;cannot store&quot; the info is implemented? Or is it mediated by a 3rd party company &#x2F; algorithm that sanitizes the data but to a certain amount that some association can still be done?<p>For example, can the customer&#x27;s credit card be anonymized but still tracked to know that the same credit card is used on 2 different transactions, for example?<p>E.g. if I wanted to give the customer only 1 special offer per credit card number, is that possible for the retailer to tell? Or is it even more sanitized such that every single transaction gets a different hashing?<p>How do refunds get issued if the number can&#x27;t be stored and presumably you don&#x27;t want the retailer to have the backwards decoding to be possible?

I always enter my card details (unless direct bank transfer is available, which is becoming pretty popular lyckily).<p>But I never found the idea that a saved credit card number (23 digits) would make a shopping experience so much convenient than having to enter it. A typical checkout still has me entering my address, choosing between 5 different delivery options, agreeing to various terms and so on. The payment step is just a minor step along the way.<p>I wonder if this entering of payment info is feeling more inconvenient to people who have become used to not having to do it, for example because they have used Amazon (I still never ordered anything there because they don&#x27;t have a functioning operation where I live).

Disclosure: I work for a fintech in India, specialized in card payment.<p>It seems here people see this rule as &quot;merchants can&#x27;t store card numbers any more&quot;. This is actually a lot more than that, this is the new rule: you cannot store card numbers for recurring payment. Even if you are PCI-DSS compliant. Even if you are audited by the RBI. Even if you&#x27;re sponsored by a bank. The only way to store a Visa number is to use the Visa tokenization service.<p>Now if you know a bit of the card payment industry, you will know that you <i>need</i> the card number just to process the payment, the refund, etc. So you still have to store the card number. And you can. You just can&#x27;t use it for recurring payment any more.<p>My personal take: Giving full control to Visa and Mastercard over their card numbers for recurring payment seems to be a nice transfer of power to these two giants. But the time scale has been very short (a few months only). So practically, most recurring card payments will stop working or be illegal in two weeks. This is will more or less break existing subscriptions working with cards.<p>India (the RBI at least) has been in a campaign for independence in the payment infrastructure. American Express[0], Diners[1], Mastercard[2] have been banned in India. Diners&#x27; ban has been lifted now, but still. Rupay is a failure with a market share of 0.34%[3] (in comparison UPI is at 37.73%), in spite of having <i>ZERO</i> MDR on debit transactions[4].<p>This change is not for the sake of security. You can have the best firewalls, cutting-edge HSM, security team and pass 12 audits a year. You will be allowed to save these card numbers but you won&#x27;t be able to authorized to use it for recurring payments. This is just a move against cards, and to promote UPI instead. By making recurring card payment a hindrance, more people will transition to UPI.<p>[0] <a href="https:&#x2F;&#x2F;www.americanexpress.com&#x2F;en-in&#x2F;company&#x2F;notice&#x2F;rbi-important-update&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;www.americanexpress.com&#x2F;en-in&#x2F;company&#x2F;notice&#x2F;rbi-imp...</a> [1] <a href="https:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;india-banking-american-express&#x2F;rbi-bans-amex-diners-club-from-issuing-new-cards-for-violating-data-rules-idINKBN2CA26T" rel="nofollow">https:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;india-banking-american-expre...</a> [2] <a href="https:&#x2F;&#x2F;westfaironline.com&#x2F;138440&#x2F;mastercard-banned-from-new-card-issuances-in-india&#x2F;" rel="nofollow">https:&#x2F;&#x2F;westfaironline.com&#x2F;138440&#x2F;mastercard-banned-from-new...</a> [3] <a href="https:&#x2F;&#x2F;www.npci.org.in&#x2F;PDF&#x2F;npci&#x2F;statics&#x2F;RETAIL-PAYMENTS-STATISTICS-Nov-21.xlsx" rel="nofollow">https:&#x2F;&#x2F;www.npci.org.in&#x2F;PDF&#x2F;npci&#x2F;statics&#x2F;RETAIL-PAYMENTS-STA...</a> [4] <a href="https:&#x2F;&#x2F;economictimes.indiatimes.com&#x2F;opinion&#x2F;et-editorial&#x2F;stop-discrimination-against-rupay&#x2F;articleshow&#x2F;87724175.cms?from=mdr" rel="nofollow">https:&#x2F;&#x2F;economictimes.indiatimes.com&#x2F;opinion&#x2F;et-editorial&#x2F;st...</a>

How would recurring transactions or metered billing work? Does this only apply to merchants or providers that are not PCI-DSS compliant and cannot safely store cardholder data?

I found the approach of disposable virtual card numbers (Visa and Mastercard) that Revolut is giving to each app owner for free is amazing. This number (always different) can be autopopulated from a browser plugin during checkout from the PC and has a very smooth user experience. I don&#x27;t need to take a card out of my wallet or open the smartphone app to do this. I am happy and regulator is happy too, in this case.

Pardon me if I’m incorrect, but isn’t this like one of the best use cases of Stripe? Stripe usually takes care of CC&#x2F;ACH information and tokenizes it, only passing the tokens to the merchant instead of the merchant having to store the CC information. Maybe this would be a good way to start a payments company boom in India?

Sounds prudent, but can the government actually enforce this? How?

Convenience Vs security. All in all, looks like a good thing