With effect from October 1, no entity other than the card issuers or card networks shall store CoF data, and any such data stored previously shall be purged: RBI.
The central bank has allowed merchant and payment aggregator to save the CoF data for a maximum period of four days from the transaction date or till the settlement date
The RBI also warned concerned stakeholders of appropriate penal action including business restrictions for non-compliance with the norms
The Reserve Bank of India (RBI) on Thursday (July 28) allowed acquiring banks to store Card-on-File (CoF) data till January 31, 2023 after a review of the issues around card tokenisation.
“For handling other post-transaction activities, acquiring banks can continue to store CoF data until January 31, 2023,” the RBI said in a notification.
Acquiring banks are financial institutions that have the authorisation to process a transaction. Essentially, big merchants such as ecommerce firms, need to tie-up with these acquiring banks to process credit and debit card transactions.
However, the central bank stuck to its previous order, directing all stakeholders, except card issuers and card networks, to purge all card-on-file (CoF) data by October 1.
“In terms of the above circulars, with effect from October 1, 2022, no entity in the card transaction/payment chain, other than the card issuers and / or card networks, shall store CoF data, and any such data stored previously shall be purged,” the notification said.
Last month, the central bank had extended the card tokenisation and card storage deadline till September 30.
Giving some respite to card issuers and card networks, the central bank also announced interim measures to ease the transition to an alternate system for guest checkout transactions.
Besides the card issuer and the card network, the merchant or its payment aggregator (PA) involved in settlement of such transactions can save the CoF data for a maximum period of four days from the transaction date or till the settlement date, whichever is earlier, the RBI said.
The central bank further added that this data shall be used only for settlement of the transactions and must be purged thereafter.
The orders were issued under Section 10(2) and Section 18 of the Payment and Settlement Systems Act, 2007.
The RBI also warned concerned stakeholders of appropriate penal action, including business restrictions, for non-compliance with the norms.
The central bank refused to further defer the implementation as it has thrice already postponed the implementation of guidelines for card transactions.
Card Tokenisation
Tokenisation refers to masking of card details with a unique code to hide the actual card information from merchants. The tokens are issued by card networks such as Visa, MasterCard, RuPay.
As part of the guidelines, payment aggregators, merchants and payment gateways are mandated by law to purge the customer card data stored with them.
While some fintech players such as Google, PhonePe and RazorPay have switched to token-based transactions, many still claim to not be ready for the transition. Many big merchants are wary of implementing the norms fearing a disruption in customer experience and adverse impact on companies whose clients have not yet moved to tokenisation.
In view of this, the RBI had extended the deadline to September 30 and had directed the industry stakeholders to use the extension period to beef up their systems to handle such transactions and to implement an alternate mechanism to handle all post-transaction activities.
So far, about 19.5 Cr card tokens have been issued in the country so far.
![Read more about the article [Funding alert] Edtech firm iNurture raises $15M to propel growth](https://blog.digitalsevaa.com/wp-content/uploads/2022/05/Imagezod0-1595322457454-300x150.jpg)
