Merchants will now be allowed to store data until June next year. The earlier tokenisation deadline was January 1.
“In light of various representations received, the timeline for storing of CoF (Card on File) data is extended by six months, i.e., until June 30, 2022,’’ the central bank said in a statement. “After this, such data shall be purged.’’
Tokenisation is a process by which card details are replaced by a unique code or token, allowing online purchases without sharing details that might be considered sensitive.
Turn: Second Extension
Had the regulator gone ahead with its implementation deadline, major online digital platforms such as Amazon, Flipkart and Zomato might have been affected as these marketplaces would have had to delete customer card data. The regulator has allowed card networks such as Visa, Mastercard or RuPay to issue tokens on behalf of the card-issuing banks or companies.
The second deadline extension for merchants on purging card data of customers comes amid concerns among entities that built their business models around recurring payment mandates, which involve storage of customer data.
The central bank has also advised the industry to create a mechanism to avoid storage of customer data for other application areas such as dispute resolution and reward/loyalty programmes.
In March 2020, the central bank said that payment aggregators and merchants onboarded by them would be prohibited from storing card details of customers to improve data privacy and protect against frauds in online transactions. The initial deadline was June this year.
But industry sought time and the RBI set a new deadline of January 1, 2022. That deadline, too, has now been extended.
The United Payment Interface, commonly known as UPI, uses the tokenisation concept.
The Payments Council of India (PCI), an industry group, has suggested alternative solutions beyond encryption through tokenisation — such as secure reference on file — to minimise customer inconvenience. PCI argues that as licensed aggregators are storing card data on isolated servers for chargeback references, these may be used for allowing one-click checkouts subject to consumer consent.