Update: RBI extends timeline for purging card-on-file data by three months

Terms of use

Terms of Use

The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.

All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.

Disclaimer

The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.

For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.

New

See all

No notification found.

Update: RBI extends timeline for purging card-on-file data by three months

Apurva Singh

@apurvaa

June 24, 2022

Public Policy

177

The Reserve Bank of India (RBI) has granted an extension to purge card-on-file (CoF) data by three months i.e., September 30, 2022. Prior to this, RBI had granted an extension for the same ahead of December 31, 2022 deadline wherein it had also allowed industry stakeholders to devise alternative mechanisms to handle any use case or post transaction activity which involves CoF storage by entities other than card networks and card issuers. The move comes in after RBI’s detailed discussions with stakeholders on progress on card-on-file tokenisation (CoFT). It has noted that while transaction processing has commenced, it is yet to gain traction and that an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction has not been implemented by the industry stakeholders, so far.

The RBI has noted that this extended time period may be utilised by the industry for-

(a) facilitating all stakeholders to be ready for handling tokenised transactions;

(b) processing transactions based on tokens;

(c) implementing an alternate mechanism(s) to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks; and

(d) creating public awareness about the process of creating tokens and using them to undertake transactions.

NASSCOM’s representation to RBI

We have been working closely with the industry to monitor readiness. In this regard, we have made representations to the RBI highlighting industry readiness in January, April and June, 2022[1]. Most recently, we had noted the following:

Most card schemes are ready with token provisioning. For token processing and use-cases, progress has been made with respect to a few use cases.
For non-token based transactions i.e., guest checkouts and first transactions, and recurring mandate, industry has suggested that the RBI may consider allowing acquirer banks to store card number of a user, for limited period for transaction tracking purposes after the payment is made. We had suggested this as a temporary measure and only till a solution is ready on this. Since acquirers are RBI regulated entities, and in most cases, would be issuers as well, it will be feasible to allow them to store customer card credentials.
We had also noted that for merchants and payment aggregators to be able to comply June 30^th deadline, it needs to be ensured that all three stages of tokenisation – token provisioning, token processing, and use-cases need to be available. Currently, the ecosystem appears to be operating in the absence of transparency around the readiness of issuer banks and their coverage by card networks.
We had also highlighted impact on services which use single application and payment services globally such as cab aggregators. In such cases, payment is made after delivery of service i.e., after the ride. Therefore, only stored cards can be used for payment processing since the payment takes place post-delivery of service. However, since merchants are not allowed to store card on file data, they would no longer be able to provision services to Indian cardholders when they travel abroad. The only exception to this is in few countries, where there are vendors who have capability to support token-based transaction processing. However, this is not a long-term solution as it is limited to only a few countries and the capability is limited to only a few payment service providers.

Backdrop

In March 2020, the RBI released “Guidelines on Regulation of Payment Aggregators and Payment Gateways” under S. 10(2) of the Payment Systems and Settlement Act, 2007. The Guidelines recognise Payment Aggregators and Payment Gateways as intermediaries playing a crucial role in facilitating payments in the digital space and ensure that consumers are protected in online space.

The Guidelines lay down a comprehensive list of provisions which the PAs will have to comply with. Of these, Clauses 2.1, 7.4 and 10.4 require PAs and merchants to not store card credentials within their databases or servers. With merchants and PAs not allowed to store card data, there were several industry concerns including – card data security, fraud risks, impact on customer service and product innovation.

To address the concerns, the industry had made suggestions to the RBI including considering CoFT as a viable alternative to card-on-file (CoF) in a graded manner. (Read more about it here) While the industry unanimously agrees that CoFT is a step in right direction, there have been implementational and operational challenges with the framework. (Read NASSCOM’s representation to RBI here)

For more information, kindly write to apurva@nasscom.in.

[1] You can read about our previous representations to RBI here, here, and here.

Card on File Tokenisation RBI

Disclaimer

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.

Apurva Singh

Senior Policy Associate

Write to me for all things related to FinTech, Drones, Data and Gaming