By Shashank Didmishe
The Reserve Bank of India (RBI) on Friday extended the deadline for merchants to delete the card storage data of their customers under the card-on-file tokenisation system by three months till September 30. This is the third time the central bank has extended the timeline for mandatory card tokenisation.
The RBI first extended the deadline by six months from June 30, 2021, till December 30, 2021, and then by another six months till June 30.
Noting that considerable progress has been made on card tokenisation and some merchants have already initiated the use of tokens, the central bank observed that the system is yet to gain traction with all categories of merchants. Additionally, merchants are yet to install an alternate system where customers can choose to enter the card details manually, the central bank said.
“It has been decided to extend the timeline for storing of CoF (card-on-file) data by three months, till September 30, after which such data shall be purged,” the RBI said in a notification.
In 2020, the RBI had directed merchants to delete users’ card data stored on their platforms for protection of financial information of the customers. Under the tokenisation system merchants will not be allowed to store the card details such as the 16-digit number, expiry dates and CVV, but will instead generate a token through which the transaction will take place.
Several industry players had voiced concerns on the skewed preparedness of the merchants for implementing tokenisation. While larger e-commerce platforms and companies have already begun the shift to generating tokens, smaller merchants did not have the readiness to migrate to the new system. Additionally, concerns were also raised that tokenised transactions may not be able to match the requisite speed and complexity for card payments.
So far, 195 million tokens have been generated, RBI said in a separate notification. In comparison, the tokenised transaction ecosystem should be able to handle around 2,000 transactions per second in order for smooth processing, according to experts. Despite being in the nascent stage, the RBI has urged cardholders to opt for tokenised transactions as it will provide an additional security layer. Cardholders unwilling to use tokens have the option of entering their card details manually.
“Stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data,” the central bank said.
The industry welcomed the RBI’s decision. Vishwas Patel, executive director, Infibeam Avenues and chairman, Payments Council of India, said that certain issues had emerged ahead of the final roll-out of the system. Solutions required to resolve the issues were being actively worked on but were to be primarily resolved by the networks, issuers and acquirers within the ecosystem, he added.
“The timeline to implement the fixes was very close to June 30, 2022 and hence the industry perceives a risk to the overall readiness for a smooth transition to the tokenisation framework. Hence this extension of three months by RBI will provide breathing space for all parties involved to comply with the tokenisation norms,” Patel said.
Meanwhile, some large merchants have already asked their customers to move to the tokenisation framework. On Friday, Amazon’s Indian arm wrote to its customers seeking their explicit consent to store their card details in a tokenised form. Earlier, the Indian operations of Uber and Zomato had reached out to their customers. Mastercard and Google Pay had tied up to offer tokenisation services and allow the app’s users to pay with their cards without having to share their credentials with a third party.