The Reserve Bank of India (“RBI”), through its circular dated 28th July 2022 (“28th July Circular”), has reinforced its timeline of 1st October 2022 relating to the storage requirements pertaining to Actual Card Data/Card-on-File data (“CoF data”) mandating all entities in the card transaction/payment chain, other than the card issuers and/or card networks to stop storing CoF data and any such data stored previously shall be purged.
According to the 28th July Circular, from 1st October 2022, no entity in the card transaction/payment chain, other than the card issuers (banks issuing the cards) and/or card networks (entities enabling the creation of a link/communication channel between the card issuers and merchant platforms), shall store CoF data (which inter alia includes card number, expiry and CVV). Such data stored previously by entities other than card issuers and card networks is required to be purged before 1st October 2022.
It is worth noting that this 28th July Circular of the RBI is in furtherance of RBI’s Circular dated 8th January 2019, as per which the RBI had permitted authorised card networks to offer card tokenisation service in its efforts to improve safety and security of card transactions.
Tokenisation is a process through which a card’s 16-digit number is replaced with an alternate number, or ‘Token’ which is unique for any combination of card, token requestor and device. Initially, the exercise was limited to mobile phones and tablets and however, it was subsequently extended to laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc., vide RBI circular dated 25th August 2021.
Additionally, as per RBI circular dated 7th September 2021, for the limited purpose of transaction tracking and/or reconciliation purposes, entities are permitted to store limited data – last four digits of actual card number and card issuer’s name – in compliance with applicable standards.
After discussions with stakeholders, the RBI has specified the following two requirements through its 28th July Circular:
- The effective date of implementation remains unchanged and all entities, except card issuers and card networks, shall purge the CoF data before 1st October 2022; and
- To allow for easy transition to alternative systems for “guest checkout transactions” (where cardholders decide to enter the card details manually at the time of undertaking the transaction) the following interim measures have been permitted –
- Other than the card issuer and the card network, the merchant or its Payment Aggregator involved in settlement of such transactions, can save the CoF data for a maximum period of T+4 days (“T” being the transaction date) or till the settlement date, whichever is earlier. The data saved shall only be used for settlement of such transactions and must be purged thereafter.
- For handling other post-transaction activities, an extension has been granted to acquiring banks. Acquiring banks can continue to store CoF data until 31st January 2023.
Consequence of non-compliance with RBI norms: According to the 28th July Circular, the RBI shall consider penal action, including imposition of business restrictions, in case of any non-compliance by concerned entities.
Tokenisation as an exercise has been undertaken by the RBI to improve safety and security of card transactions. A token is a key generated without a customers personal information that can be directly accessed and is inter alia different for specific devices/merchants, making it an extremely secure method to complete payments. While the tokenisation process in itself is a step in the right direction, the limited scope of this exercise does raise concerns in relation to post-transaction activities. For instance, an acquiring bank is likely to face issues while processing refunds to source (in cases of failed transactions or otherwise) if the CoF data is only available with the card issuer and card network. While the interim requirements do provide a final extension till 1st October 2022, industry preparedness (in terms of backend infrastructure required to support tokenised and guest checkout transactions etc.) in replacing pre-existing transaction infrastructure may not be fully realized within this extended timeline.
28th July 2022 circular – https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NOTI9562EBD27509944390A 9A35D61E50BA9C6.PDF
8th January 2019 circular – https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11449&Mode=0
25th August 2021 circular – https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12152&Mode=0
7th September 2021 circular – https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12159&Mode=0