RBI further extends deadline for deletion of card-on-file data

On 23 December 2021, the Reserve Bank of India (RBI) further extended for six months the deadline for removal of card-on-file (CoF) data. Payment aggregators (PAs) and merchants may thus continue to store customer card credentials until 30 June 2022.

By way of the Guidelines on Regulation of PAs and Payment Gateways dated 17 March 2020 (PA-PG Guidelines), the RBI had announced a prohibition on the storage of card data by PAs, merchants and intermediaries other than card issuers and networks. The card payments industry has been concerned about the disruption that this will create for card transactions, for customers, merchants and intermediaries alike. Some stakeholders argue that less restrictive alternatives may achieve the same aim with less disruption to the card payments ecosystem.

The storage prohibition, originally to come into effect in June 2021, was deferred first to December 2021 and has now been deferred to June 2022 to give the market time to implement workable solutions while maintaining the seamlessness of card transactions. Since the notification of the PA PG Guidelines, the RBI has supported tokenisation as a viable solution.

Tokenisation refers to the conversion of customers’ card details to a unique token, which can be stored and used by merchants and intermediaries to execute card transactions with greater security and similar efficiency. To make tokenisation the industry norm and to complement the framework for device-based tokenisation (introduced in January 2019), the RBI issued a framework for CoF tokenisation in September 2021.

While many market players have indicated their in-principle readiness for tokenisation, several industry bodies, including the National Association of Software and Service Companies and the Alliance of Digital India Foundation, requested for a phased implementation of the data storage prohibition and the tokenisation mandate. They pointed out that the technological infrastructure required for tokenised card transactions had not yet been put in place by a number of participants in the transaction chain. Even for merchants that had the technical capability, the process remained incomplete as most cardholders had not consented or been migrated to the tokenised ecosystem. Thus, if card details were to be purged without being tokenised, cardholders would need to provide card details for each transaction, likely resulting in a significant fall in the number of card payments. Smaller merchants that have struggled to implement tokenised card transactions within the timeframe would be the most affected.

Industry representatives pointed out that the framework did not indicate how card payments such as e-mandates, EMIs, refunds, cashbacks and guest checkouts were to be processed. Such payments are typically processed by the merchant using the card details stored on its server. While the PA-PG Guidelines allowed storage of card credentials for a limited period for the purpose of transaction tracking and/or reconciliation, the guidelines on CoF tokenisation only allow the storage of the last four digits of the card number, which are allegedly inadequate for a merchant to process any subsequent transaction with a customer.

Crucially, besides deferring the timeline for the deletion of card data, the RBI has advised stakeholders to devise alternative mechanisms, in addition to tokenisation, for any use-case or post-transaction activity that currently involves storing card data. While the RBI maintains that merchants cannot store customer card data, alternative mechanisms may be developed to handle multiple use-cases, either linked to the payment transaction itself, such as recurring e-mandates and EMI transactions, or connected to post-transaction activities such as chargebacks, disputes, rewards and loyalty programmes. It is unclear what kinds of alternative mechanisms would be acceptable and whether they would need approval either by the RBI or by a licensed entity such as the card issuer or the card network.

The introduction of CoF tokenisation by the RBI was followed by the launch of several tokenisation-related offerings. The RBI’s latest clarification has been well received and the market may see the introduction of many more solutions that allow for the processing of card payments while minimising the exposure of card credentials.

Shilpa Mankar Ahluwalia is a partner and Shobhit Shukla is a research fellow at Shardul Amarchand Mangaldas & Co

Disclaimer: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Further, the views in this article are the personal views of the authors.