Restrictions of Storage of Actual Card Data

Posted On - 19 September, 2022 • By - Pooja Sirnapelly

RBI Card Tokenization Guidelines and Extension

The deadline to store new card data on file has been extended by the Reserve Bank of India for six months at the request of industry bodies and stakeholders. The Reserve Bank of India (RBI) issued a notification dated July 28th 2022[1] with some norms for regulating Payment Aggregators (PAs) and Payment Gateways (PGs). The Regulating Payment Aggregators and Payment Gateways play the role of facilitating payments in the online space. It has been decided that:

(a) Payment regulators shall adopt all technology-related recommendations. 

(b) The domestic leg of import- and export-related payments facilitated by Payment Aggregators shall also be governed by these instructions.

Banks and non-bank PAs handle the funds. A separate authorisation is not required from the Reserve Bank of India for normal banks, whereas non-bank PAs will require a separate authorisation from the Reserve Bank of India under the Payments and Settlements System Act, 2007. Comprehensive information regarding merchant policies, privacy policies and customer grievances shall be disclosed by PAs. They are not to save customer card credentials on their server or database as a financial security measure. The deadline to comply with updated regulations was extended for six months till December 31st 2022.

Card Tokenisation Services

Card networks for tokenisation in card transactions are permitted by the Reserve Bank of India for enhancing the safety and security of card transactions. Card networks are authorised to offer card tokenisation services to any token requester. Card network services are only available for mobile holders or tablet card holders. According to the Payments and Settlement System Act, 2007, it has been decided that keeping in view stakeholder feedback, tokenisation shall include customer devices like laptops, desktops, watches, internet devices, etc. In this way, card transactions will be secure, safe, and convenient to use.

Authorised non-bank payment aggregators and merchants are prohibited from storing card-on-file (CoF) data from June 30th 2021. Industry stakeholders requested the Reserve Bank of India to extend the deadline. After a discussion with stakeholders, it was decided that the CoF storage compliance deadline has been extended for a further three months. It has been issued under Section 18 of the Payments and Settlements System Act, 2007. All the entities, except the card issuers and card network, must submit data before October 1st 2022. If there is a case of non-compliance, then the Reserve Bank of India can take appropriate penal action including business restrictions. This is issued under Section 18 of the Payment and Settlement System Act, 2007.