The Reserve Bank of India (RBI) on Thursday extended the timeline for implementation of the new credit and debit card data storage norms, or card-on-file tokenisation (CoF) by six months to June 30, 2022. The RBI move follows intervention by digital payment firms, merchant bodies and banks which had sought more time to integrate the systems and onboard all the stakeholders amid fears over disruption of business transactions.
After June 2022, credit and debit card data should be purged from the online systems of merchants, the central bank said. In addition to tokenisation, industry stakeholders may devise alternate mechanisms to handle any use case, including recurring e-mandates and EMI option or post-transaction activity, including chargeback handling, dispute resolution, reward or loyalty programme, that currently involves storage of CoF data by entities other than card issuers and card networks, the RBI said in a notification.
In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of CoF tokenisation as an alternative to card storage.
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device. A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
If implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants, Industry bodies said. “Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments,” Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) said in a joint letter to the RBI.
They have voiced their concerns over industry readiness on the RBI directive on card-on-file tokenisation and urged the central bank for an extension of the December 31 deadline for implementation of card data storage norms. Sources said some banks have also written to the RBI seeking extension of implementation of the new norms.
Online merchants can lose up to 20-40 per cent of their revenues post December 31 due to tokenisation norms, and for many of them, especially smaller ones, this would sound the death knell, causing them to shut shop, according to participants at a virtual session on Digital Payments and the India Media Consumer by the CII’s Media and Entertainment Committee on Wednesday.
Merchants cannot start the testing and certification of their payment processing systems until banks, card networks and PA/PGs are certified and live with stable APIs for consumer-ready solutions, industry officials said.
