The Reserve Bank of India (RBI) on Thursday extended the card-on-file (CoF) tokenisation deadline by six months to June 30, 2022, in view of various representations received from industry bodies. Card-on-file, or CoF, refers to card information stored by payment gateway and merchants to process future transactions. The earlier deadline was December 31, 2021.
"In light of various representations received in this regard, we advise...the timeline for storing of CoF data is extended by six months, ie., till June 30, 2022 and post this, such data shall be purged," RBI said in a notification addressed to all payment system providers and payment system participants.
In addition to tokenisation, it said, "Industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/ loyalty programme, etc.) that currently involves/requires storage of CoF data by entities other than card issuers and card networks."
Commenting on RBI's decision, Payments Council of India (PCI), the representative body of payment system participants in the country, said it is much-needed relief for the industry which has been working hard towards the on-ground implementation of COF and integration with various stakeholders.
"PCI will work with the industry and RBI to come up with solutions to handle any use cases such as refunds, emanates and post transaction activity including chargeback handling, dispute resolution, reward / loyalty programme, etc, that currently involves/requires storage of CoF data by entities other than card issuers and card networks," PCI Chairman and Director, Infibeam Avenues, Vishwas Patel said.
Under tokenisation services, a unique alternate code is generated to facilitate transactions through cards. The RBI in September prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of CoF tokenisation as an alternative to card storage.
Citing several operational challenges, industry associations Merchant Payments Alliance of India (MPAI) and Alliance of Digital India Foundation (ADIF) had requested the RBI to extend the December 31 deadline for implementation of norms related to tokenisation of card transactions.
MPAI is a consortium of merchants who accept digital payments and counts Microsoft, Netflix, Spotify, Zoom, BookMyShow, Disney+Hotstar, Policybazaar and Times Internet among its members.
Alliance of Digital India Foundation (ADIF) is a think-tank for digital start-ups, whose members include Paytm, Matrimony.com, GOQii and MapmyIndia. Citing the convenience and comfort factor for users while undertaking card transactions online, many entities involved in the card payment transaction chain store actual card details.
Some merchants force their customers for storing card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/ leaked.
Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions, the RBI said adding that stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
The RBI had in March 2020 had stipulated that authorised payment aggregators and the merchants onboarded by them should not store actual card data with a view to minimise vulnerable points in the system. On a request from the industry, it extended the deadline to end-December 2021 as a one-time measure.
The tokenisation of card data, however, shall be done with explicit customer consent requiring AFA, the RBI had said.