NEWS
RBI extends card tokenisation deadline by six months
Deadline extended as stakeholders not yet ready; RBI’s new rules for card storage data will now come into effect from 1 July.
Deadline extended as stakeholders not yet ready; RBI’s new rules for card storage data will now come into effect from 1 July.
The Reserve Bank of India (RBI) has extended the deadline to comply with new rules for card storage data by six months till 30 June 2022.
The decision came on the back of requests from online payment gateways, merchants and e-commerce companies for more time as they were not ready to implement tokenisation of cards. The process would have involved replacement of credit and debit card details with a unique alternate code called the token.
The RBI had set 1 January 2022 as the deadline for the new rules so that online payment transactions through credit and debit cards become more secure.
“In light of various representations received in this regard, we advise...the timeline for storing of card on file (CoF) data is extended by six months till June 30, 2022; post this, such data shall be purged," the RBI said in its circular.
The RBI also said that in addition to tokenisation, industry stakeholders may devise alternate mechanisms to “handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.)" that currently requires storage of card data by entities other than card issuers and card networks.
Earlier, some banks had requested the RBI for an extension of the tokenisation deadline as many small and mid-sized merchants were not ready to implement the technological changes. Digital payment firms and merchant bodies had also made a similar request as implementation of the new rule in the present state of readiness could cause major disruptions and loss of revenue, especially for merchants. The policy changes would involve three major players - banks, intermediary payment systems and merchants.
The RBI had first issued the guidelines in March 2020 prohibiting payment aggregators and merchants to store customer card credentials within their database or server from 30 June 2021. But in March of this year the RBI extended the deadline by six months to 31 December.
Why RBI is pushing for tokenisation
A tokenised card transaction reduces the chances of fraud as the card details are not shared with the merchant during transaction processing. The token is used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.
A token is unique for each card, token requestor (the entity that accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a token) and the device.
