Card DATA not to be stored by entities in transactions from 1 January 2022 - all previously stored date to be purged, RBI issues directive – extends tokenisation mandate

From January 1 2022, no entity in the card transaction or payment chain other than the card issuer and card network will be able to store the actual card data of the customers. Any such data stored previously shall be purged. The announcement was made by Reserve Bank of India (RBI) today while further enhancing the extant framework on card tokenisation services.

For transaction tracking and/or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards, an RBI directive said. The directive has been issued under the Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

See Zee Business Live TV Streaming Below:

“The device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services as well,” a press release issued by the RBI on Tuesday said.

“Card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs). The tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA),” the release further said.

The above enhancements are being brought into effect to “reinforce the safety and security of card data while continuing the convenience in card transactions,” the release further said.   

Citing the convenience and comfort factor for users while undertaking card transactions online, many entities involved in the card payment transaction chain store actual card details [also known as Card-on-File (CoF)].

“In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised / leaked. Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques,” the release further said.

The Reserve Bank in March 2020 had stipulated that authorised payment aggregators and the merchants onboarded by them should not store actual card data citing that it would minimise vulnerable points in the system.

However, on a request from the industry, the deadline was extended to end-December 2021 as a one-time measure.

“It may be noted that introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now,” the RBI release said.

“Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement. The efforts of Reserve Bank to deepen digital payments in India and make such payments safe and efficient shall continue,” the release further said.

The RBI extended the tokenisation mandate to every device that connects with the Internet, including mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. and to the payment aggregators as well as merchants on-boarded by them.

The decision was taken after a review of the tokenisation framework. Following enhancements will be in effect:

1. Extend the device-based tokenisation1 framework to CoF Tokenisation (CoFT).
2. Permit card issuers to offer card tokenisation services as Token Service Providers2 (TSPs).
3. The facility of tokenisation shall be offered by the TSPs only for the cards issued by / affiliated to them.
4. The ability to tokenise and de-tokenise card data shall be with the same TSP.
5. Tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by card issuer.

The RBI further has further directed the card networks to ensure all compliances.