Mumbai, 23 December
The Reserve Bank of India (RBI) on Thursday extended the deadline for card-on-file (CoF) tokens by six months to June 30, 2022, in view of various representations received from industry bodies.
Card-on-file, or COF, refers to card information stored by payment gateways and merchants to process future transactions.
The earlier deadline was December 31, 2021.
RBI said, “In the light of various representations received in this regard, we advise … the time limit for storage of COF data is extended by six months i.e. up to June 30, 2022 and thereafter, such data may be purged. will be given,” the RBI said. In a notification addressed to all payment system providers and payment system participants.
Apart from tokenization, it said, “Alternative mechanism to handle any use case (including recurring e-mandate, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, bounty) by industry stakeholders.” can prepare. / loyalty programs, etc.) that currently require the storage of COF data by entities other than the card issuer and the card network. Under token services, a unique alternate code is generated to facilitate transactions through the card.
The RBI in September prohibited merchants from storing customer card details on its servers with effect from January 1, 2022, and mandated the adoption of COF tokens as an alternative to card storage.
Citing several operational challenges, industry associations – Merchant Payments Alliance of India (MPAI) and Alliance of Digital India Foundation (ADIF) – have asked the RBI to extend the December 31 deadline for implementation of norms related to tokenization of card transactions. was requested.
MPAI is a consortium of merchants that accept digital payments and its members include Microsoft, Netflix, Spotify, Zoom, BookMyShow, Disney+ Hotstar, Policybazaar and Times Internet.
Alliance of Digital India Foundation (ADIF) is a think-tank for digital start-ups, whose members include Paytm, Matrimony.com, GOQII and Mapmyindia.
Citing the convenience and comfort factor for users while doing card transactions online, many of the entities involved in the card payment transaction chain store the actual card details.
Some merchants force their customers to store card details.
The availability of such details with a large number of merchants substantially increases the risk of card data theft. In recent times, there have been incidents where card data stored by some merchants has been compromised/leaked.
Any leakage of COF data could have serious consequences as many jurisdictions do not require AFA for card transactions, RBI said, adding that stolen card data can be used to eliminate frauds within India through social engineering techniques. can also be done.
The RBI had in March 2020 stipulated that authorized payment aggregators and merchants onboarded by them should not store genuine card data to reduce the weak points in the system. At the request of the industry, it extended the deadline to December 2021 as a one-time measure.
However, tokenization of card data will be done with the explicit consent of the customer, which requires AFA, RBI had said. PTI