The Reserve Bank of India (RBI) has, once again, extended the deadline for card tokenisation by three months to September 2021, bringing relief to major online digital platforms.
The move comes after a group of industry associations, besides other stakeholders, reportedly sought more time to comply with the latest data safety rules.
This is the second time the central bank has deferred the implementation of mandatory tokenisation of card transactions. The earlier deadline was January 1, 2022, which was extended to June 30, 2022. The RBI had issued guidelines in March 2020.
Tokenisation refers to the process that replaces the actual card details with a unique alternate code known as the ‘token’, enabling a user to make online purchases without sharing details that might be considered sensitive.
As per the new guidelines, online platforms (merchants) or authorised payment aggregators will have to delete any credit/debit card data stored on their platforms and replace them with tokens, which will be used for processing transactions in future.
While most of the banks are ready for the switchover, other stakeholders—mostly merchants—argue that their backend systems are not yet ready to adopt the new regime, and had sought further time in putting new norms into effect.
“The industry stakeholders have highlighted some issues related to the implementation of the framework for guest checkout transactions. Also, the number of transactions processed using tokens is yet to gain traction across all categories of merchants. These issues are dealt with in consultation with the stakeholders, and to avoid disruption and inconvenience to cardholders, the Reserve Bank has today announced the extension of the said timeline of June 30, 2022, by three more months to September 30, 2022,” RBI said in a statement.
Utilising the time at hand
The industry may utilise the extended period to facilitate all stakeholders to be ready to handle and process tokenised transactions, implement an alternate mechanism(s) to handle all post-transaction activities, and create public awareness about the process of token creation and using them for transactions.
The post-transaction activities include chargeback handling and settlement related to guest checkout transactions. At present, this requires the storage of CoF data by entities other than card issuers and card networks.
As per the Reserve Bank, about 19.5 crore tokens have been created to date. Opting for CoFT (creating tokens) is voluntary for the cardholders, and those who do not wish to create a token, can continue to transact as before by entering card details manually at the time of the transaction, the RBI said.
“The Reserve Bank encourages cardholders to tokenise their cards for their own safety. Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation,” it added.
Vishwas Patel, Chairman, Payment Council of India (PCI), which claims to be in active talks with the RBI over the issue for the past few months, said, the extension would provide a breathing space for all parties involved to comply with the tokenisation norms.
He added, “While the overall industry was striving and committed to meet the timeline, certain issues had emerged in the final rollout. Solutions required to resolve the issues were actively worked on, but were to be primarily resolved by the networks, issuers, and acquirers within the ecosystem. The timeline to implement the fixes was very close to June 30, and hence, the industry perceives a risk to the overall readiness for a smooth transition to the tokenisation framework.”