Under the powers issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007), to the continuing the efforts to improve the safety and security of card transactions, the Reserve Bank of India had permitted card networks for tokenization in card transactions for a specific use case.
It was to permit authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third-party app provider), subject to certain conditions. This permission extends to all use cases/channels [e.g., Near Field Communication (NFC)/Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). For the present, this facility shall be offered through mobile phones/tablets only. Its’ extension to other devices will be examined later based on data gained.
All instructions issued by RBI on the safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA)/PIN entry, shall be applicable for tokenized card transactions. All other instructions related to card transactions shall be applicable for tokenized card transactions as well. The ultimate responsibility for card tokenization services rendered rests with the authorized card networks. It is further stated that charges should be recovered from the customer for availing of this service
Before providing card tokenization services, authorized card payment networks shall put in place a mechanism for periodic system (including security) audits at frequent intervals, at least annually, of all entities involved in providing card tokenization services to customers. This system audit shall be undertaken by empanelled auditors of the Indian Computer Emergency Response Team (CERT-In) and all related instructions of the Reserve Bank in respect of system audits shall also be adhered to. A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations, if any, from the conditions listed in Annex 1 furnished along with the direction, along with the compliance thereto. Further, a report on the details to be furnished along with the direction shall be submitted to the Reserve Bank of India, Department of Payment and Settlement Systems.
In terms of these circulars, with effect from January 1st 2022, no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the CoF data, and any such data stored previously shall be purged. Subsequently, to allow more time for the industry stakeholders for devising alternate mechanism(s) to handle any use case or post-transaction activity, this timeline was extended to June 30th 2022 on “Restriction on storage of actual card data [i.e., Card-on-File (CoF)]”.
On a review of the issues involved and after detailed discussions with all stakeholders, it is observed that considerable progress has been made in terms of token creation. Transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants. Further, an alternate system concerning transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as "guest checkout transactions") has not been implemented by the industry stakeholders, so far.
Given the above, it has been decided to extend the timeline for storing CoF data by three months, i.e., till September 30th 2022, after which such data shall be purged