Topics In Demand
Notification
New

No notification found.

Update: RBI extends timeline for purging card-on-file data by three months
Update: RBI extends timeline for purging card-on-file data by three months

June 24, 2022

177

0

 

The Reserve Bank of India (RBI) has granted an extension to purge card-on-file (CoF) data by three months i.e., September 30, 2022. Prior to this, RBI had granted an extension for the same ahead of December 31, 2022 deadline wherein it had also allowed industry stakeholders to devise alternative mechanisms to handle any use case or post transaction activity which involves CoF storage by entities other than card networks and card issuers. The move comes in after RBI’s detailed discussions with stakeholders on progress on card-on-file tokenisation (CoFT). It has noted that while transaction processing has commenced, it is yet to gain traction and that an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction has not been implemented by the industry stakeholders, so far.

The RBI has noted that this extended time period may be utilised by the industry for-

(a) facilitating all stakeholders to be ready for handling tokenised transactions;

(b) processing transactions based on tokens;

(c) implementing an alternate mechanism(s) to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks; and

(d) creating public awareness about the process of creating tokens and using them to undertake transactions.

NASSCOM’s representation to RBI

We have been working closely with the industry to monitor readiness. In this regard, we have made representations to the RBI highlighting industry readiness in January, April and June, 2022[1]. Most recently, we had noted the following:

  • Most card schemes are ready with token provisioning. For token processing and use-cases, progress has been made with respect to a few use cases.
  • For non-token based transactions i.e., guest checkouts and first transactions, and recurring mandate, industry has suggested that the RBI may consider allowing acquirer banks to store card number of a user, for limited period for transaction tracking purposes after the payment is made. We had suggested this as a temporary measure and only till a solution is ready on this. Since acquirers are RBI regulated entities, and in most cases, would be issuers as well, it will be feasible to allow them to store customer card credentials.
  • We had also noted that for merchants and payment aggregators to be able to comply June 30th deadline, it needs to be ensured that all three stages of tokenisation – token provisioning, token processing, and use-cases need to be available. Currently, the ecosystem appears to be operating in the absence of transparency around the readiness of issuer banks and their coverage by card networks.
  • We had also highlighted impact on services which use single application and payment services globally such as cab aggregators. In such cases, payment is made after delivery of service i.e., after the ride. Therefore, only stored cards can be used for payment processing since the payment takes place post-delivery of service. However, since merchants are not allowed to store card on file data, they would no longer be able to provision services to Indian cardholders when they travel abroad. The only exception to this is in few countries, where there are vendors who have capability to support token-based transaction processing. However, this is not a long-term solution as it is limited to only a few countries and the capability is limited to only a few payment service providers.

Backdrop

In March 2020, the RBI released “Guidelines on Regulation of Payment Aggregators and Payment Gateways” under S. 10(2) of the Payment Systems and Settlement Act, 2007. The Guidelines recognise Payment Aggregators and Payment Gateways as intermediaries playing a crucial role in facilitating payments in the digital space and ensure that consumers are protected in online space.

The Guidelines lay down a comprehensive list of provisions which the PAs will have to comply with. Of these, Clauses 2.1, 7.4 and 10.4 require PAs and merchants to not store card credentials within their databases or servers. With merchants and PAs not allowed to store card data, there were several industry concerns including – card data security, fraud risks, impact on customer service and product innovation.

To address the concerns, the industry had made suggestions to the RBI including considering CoFT as a viable alternative to card-on-file (CoF) in a graded manner. (Read more about it here) While the industry unanimously agrees that CoFT is a step in right direction, there have been implementational and operational challenges with the framework. (Read NASSCOM’s representation to RBI here)

For more information, kindly write to apurva@nasscom.in.

 

[1] You can read about our previous representations to RBI here, here, and here.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Apurva Singh
Senior Policy Associate

Write to me for all things related to FinTech, Drones, Data and Gaming

© Copyright nasscom. All Rights Reserved.