The Reserve Bank of India (RBI) has extended the deadline for authorised non-bank payment aggregators and merchants on-boarded by them to store Card-on-File (CoF) data from December 31, 2021, to June 30, 2022, according to a notification issued by the central bank on Thursday.
In September this year, the RBI extended authorised card networks to offer their card-tokenisation facility — from mobile phones and tablets to laptops, desktops, wearables (wrist watches, bands), and internet of things (IoT) devices.
In March 2020, the central bank barred non-bank payment aggregators (like ecommerce companies and online aggregators) from storing customer-card credentials in their database or the server accessed by the merchant.
The September 2021 notification allowed non-bank payment aggregators to tokenise credit- or debit card details. In effect, a Flipkart, Amazon, Uber or any online company operating in India could create tokens to make transactions seamless for users.
“Ecommerce companies can no longer store card data,” a lawyer of an a multinational ecommerce company told YourStory, requesting anonymity. “And if somebody is not storing card data, the user experience of a transaction is not seamless.”
When ecommerce companies can’t store card data, a customer’s purchase experience gets affected, especially in several parts of the country with data-connectivity issues and transactions get dropped.
“For each transaction, a user would have had to re-type the 16-digit card data, input the expiry date, CVV, and then the OTP (one-time password) for it to be complete,” he explained.
CoF tokenisation allows online companies to create tokens so that users don’t have to input the card data for each transaction. These tokens can be stored with the companies, and becomes the reference point for subsequent transactions to go through seamlessly.
From a tech point of view, all online aggregators and ecommerce companies in India have to adopt the tokenisation framework.
The RBI had given a deadline of December 31, 2021, for entities in the card transaction or payment chain, other than the card issuers and/or card networks, to store the actual card data.
“For transaction tracking and/or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards,” stated the RBI notification dated September 7, 2021.
It also placed the responsibility of complete and ongoing compliance with all entities involved on the card networks.
This deadline for CoF tokenisation has now been extended by six months.
“The timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged,” the RBI stated in a notification on Thursday.
Further, “industry stakeholders may devise alternate mechanism(s) to handle any use-case (including recurring e-mandates, EMI option, etc) or post-transaction activity (including chargeback handling, dispute resolution, reward/loyalty programme, etc) that currently involves/requires the storage of CoF data by entities other than card issuers and card networks,” the notification added.
