The Reserve Bank of India (RBI) on July 28 said that acquiring banks can continue to store Card-on-File (CoF) data until January 31, 2023 after reviewing issues surrounding tokenisation.
The bank that debits an amount from a customer is known as the issuer bank. At the other end is the acquirer bank, or the merchant's bank, which credits the amount on receipt.
Other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in settlement of such transactions, can save the CoF data for a maximum period of four days including the transaction date or till the settlement date, whichever is earlier, the RBI said in a statement. This data shall be used only for settlement of such transactions, and must be purged thereafter.
Additionally, there shall be no change in the effective date of implementation of the requirements – all entities, except card issuers and card networks, shall purge the CoF data before October 1.
The RBI, on June 24, had extended the deadline for card data storage and tokenisation implementation by three more months to September 30.
The banking regulator had said that on a review of the issues involved and after detailed discussions with all stakeholders, it is observed that considerable progress has been made in terms of token creation. However, the transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants, the RBI had said.
Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction has not been implemented by the industry stakeholders, so far, the regulator had said.
This means that payment aggregators, payment gateways, and merchants can store the card credentials of customers in their databases only until September 30, a deadline that has already been extended a number of times before this, most recently by six months to June 30.
In the absence of an alternative mechanism, customers using their credit or debit cards from July 1 will have to enter the details afresh for each transaction, including the 16-digit card number, expiry date, and card verification value (CVV).
Prior to the extension, Moneycontrol had reported on May 20 that merchants and the payments ecosystem were worried that the industry is not fully prepared for implementing tokenisation. The report further said that while the process of creating tokens has been put in place, there is no clarity on the execution of guest checkouts and how merchants can implement cashbacks and rewards in the absence of card data.The issue of extending rewards and cashbacks may be addressed now with payment aggregators allowed to hold data for four more days or until the date of settlement.