Topics In Demand
Notification
New

No notification found.

Update: RBI extends timeline for purging Card-on-File data by merchants and payment aggregators
Update: RBI extends timeline for purging Card-on-File data by merchants and payment aggregators

December 23, 2021

379

0

In line with NASSCOM’s recommendations (read here), the Reserve Bank of India (RBI) has granted an extension to merchants and payment aggregators to purge card-on-file (CoF) data by six months i.e., till June 30, 2022. After this date, the merchants and payment aggregators, in accordance with the PA/PG guidelines, will be required to purge stored card data and implement card-on-file tokenisation.

The circular also allows industry stakeholders to devise alternative mechanisms to handle any use case or post-transaction activity which involves CoF storage by entities other than card networks and card issuers.

The move by the RBI is aimed to ensure smooth transition towards Card-on-File tokenisation (CoFT), and will avoid disruption similar to e-mandate on recurring transactions.

Had this move not materialised, all card data with merchants across the country would have been purged on December 31, 2021 leading to disruption of all card based payments. This would have impacted services across sectors.

Backdrop

In March 2020, the RBI released “Guidelines on Regulation of Payment Aggregators and Payment Gateways” under S. 10(2) of the Payment Systems and Settlement Act, 2007. The Guidelines recognise Payment Aggregators and Payment Gateways as intermediaries playing a crucial role in facilitating payments in the digital space and ensure that consumers are protected in online space.

The Guidelines lay down a comprehensive list of provisions which the PAs will have to comply with. Of these, Clauses 2.1, 7.4 and 10.4 require PAs and merchants to not store card credentials within their databases or servers. With merchants and PAs not allowed to store card data, there were several industry concerns including – card data security, fraud risks, impact on customer service and product innovation. (Read more about it here)

To address the concerns, the industry had made suggestions to the RBI including considering CoFT as a viable alternative to card-on-file (CoF) in a graded manner. (Read more about it here) While the industry unanimously agrees that CoFT is a step in right direction, there were implementational and operational challenges with the framework. (Read NASSCOM’s representation to RBI here)

What does the PA/PG guideline say about storing card details?

The Guidelines lay down a comprehensive list of provisions which the PAs will have to comply with. Of these, Clauses 2.1, 7.4 and 10.4 prohibit PAs and merchants from storing card credentials within their databases or servers. With merchants and PAs prohibited to store card data, there were several industry concerns including – card data security, fraud risks, impact on customer service and product innovation.

To address the concerns, the industry had made suggestions to the RBI including considering card-on-file tokenisation (CoFT) as a viable alternative to card-on-file (CoF) in a graded manner.

What is Card-on-File tokenisation?

In line with industry’s and NASSCOM’s recommendations, the RBI, through a circular dated September 07, 2021, allowed CoFT for merchants and PAs. This step was to reinforce the safety and security of card data while ensuring convenience of card transactions. (Read more about it here) The framework requires merchants and PAs to:

  1. Purging card data: No entity in the card transactions/ payment chain, other than the card issuer and/or card network will store actual card data. Merchants and PAs are required to purge card data from their respective systems by December 31, 2021.
  2. Storing last four digits of a card: The merchants and PAs are allowed to store last four digits of actual card number, and card issuer’s name.
  3. Customer consent: To tokenise card data, it is mandatory to obtain customer’s explicit consent requiring Additional Factor of Authentication (AFA) validated by card issuer.
  4. Responsibility of card networks: It is the responsibility of card networks to ensure that all entities involved are compliant with the framework.

NASSCOM’s representation to RBI

In its representation, NASSCOM had highlighted that the ecosystem was operating in the absence of transparency around the coverage of issuer banks which networks have at this point, and the state of readiness of the RBI regulated entities to implement the CoFT within the then RBI’s proposed timeline i.e. December 31, 2021. NASSCOM’s representation to the RBI had highlighted the challenges related to consent mechanism, timeline, BIN storage and guest checkouts.  (Read here)


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Apurva Singh
Senior Policy Associate

Write to me for all things related to FinTech, Drones, Data and Gaming

© Copyright nasscom. All Rights Reserved.