What you must know about auto debits and card data storage

The new rules for auto card debits will go live from 01st October 2021 and the modified rules for card data storage will be effective from 01st January 2022. Both these rules were postponed by 6 months previously.

Sep 24, 2021 08:09 IST India Infoline News Service

The Indian payment ecosystem is likely to see major changes in terms of safety and security. The new rules for auto card debits will go live from 01st October 2021 and the modified rules for card data storage will be effective from 01st January 2022. Both these rules were postponed by 6 months previously. Here is what they mean for digital payments.

What is the gist of the new auto-debit rules that will go live on 01-Oct?

The new rules of RBI pertaining to auto debits will go live from next month. All recurring transactions involving auto debits to your debit cards, credit cards, UPI or other prepaid instruments like wallets will require additional factor authentication (AFA). This AFA will be done via OTP sent to your registered email or SMS to your registered mobile.

Will the new auto debit rules apply to fresh mandates from Oct-21 or to existing mandates also?

The new rules will apply to both. In the case of fresh mandates, the additional factor authentication or AFA has to be done at the time of registering the mandate itself. You cannot register the mandate without the AFA. It will be a one-time registration for AFA and it will only apply to transactions where the regular auto debit is Rs5,000 and above. For amounts below Rs5,000, the AFA is anyways not required.

In the case of existing mandates of auto debits on your credit cards, debit cards or UPI; they will become void from 01-Oct 2021, if the auto debit amount at any point of time is above Rs5,000, the mandate would be automatically rejected. Your debit card / credit card issuer must have already sent you a link or asked you to do the AFA on the website. Once you do that and authenticate with the OTP received by SMS or email, your account is authenticated. It will continue uninterrupted after that.

I have given auto debits to my bank for mutual fund SIPs and my home loan EMI. Will these also get rejected after 01-Oct?

The auto debit rules only apply to credit cards, debit cards, UPI and PPIs. They do not apply to debit mandates given to the bank. Normally, bank auto debits are done through a process called ECS or Electronic Clearing Service. This is outside the purview of auto debit rules and hence your home loan EMIs and SIP debits will continue as usual.

I have OTT subscription for Amazon Prime and dollar subscription for the Economist and Fortune magazines. Will these also be impacted by the new auto debit rules?

Yes, it will. The new auto debit rules will apply to all credit card, debit card, UPI and PPI transactions; both domestic and international. In your case, even your international transactions will require additional factor authentication. While there is no clarity on the cut-off in this case, it is assumed that in case of international transactions, all auto debit standing instructions will require AFA.

Suppose I register a standing instruction mandate on my credit card with AFA, can I modify this mandate subsequently?

You absolutely can. In fact, all Standing Instructions set up on your credit card and debit card, be it domestic or international can be modified or even cancelled. However, modification or deletion of such mandates will also have to be authenticated using additional factor authentication (AFA).

The new rules go a step further. It stipulates that any pre-debit standing instruction on the debit card / credit card must be notified to the customer between 1 day and 5 days in advance. This pre-debit notification must also contain the facility to opt out of the transaction through the link provided in the notification itself.

Can I set an upper limit for my auto debit transaction?

That is also possible and is relevant in case of payments like electricity bills which can, at times, be higher than what you expect. You can set upper limits and if the upper limit is breached then the bank will send you a pre-debit notification. You will have to authenticate and approve the transaction using AFA.

Will I have to authenticate each time my recurring debits are above Rs5,000?

That will not be required. While processing the first transaction in e-mandate based recurring transaction series, AFA validation will be mandatory. Subsequent recurring transactions can be done without AFA only for those cards successfully registered and for which the first transaction was successfully authenticated with AFA. In such cases, subsequent transactions may be performed without AFA.

What are the new data storage rules of RBI and how does it impact me?

If you have used your debit card / credit card on any website, it would give you the option to store card information. This makes it easy for you transact next time as only the CVV is required and all other data is stored. From 01-Jan, merchants cannot store card data.

That means; for every transaction online, you must enter all card details while transacting. However, one way out is the tokenization method offered by RBI. Here, the data can be stored as dummy tokens before sending it over the internet. It may a tad cumbersome, but it is a small price for greater card security. These rules are effective from 01-Junuary 2022.

Related Story

Open Free Demat Account (Rs699)