“In light of various representations received in this regard, we advise as under: a) the timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged; and b) in addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or posttransaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks,” the central bank said in a circular.
The move comes after digital payment firms, like Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF), voiced their concerns over industry readiness.
Citing several operational challenges that will hinder the transition to the token-based payments ecosystem, the industry bodies voiced their concerns over industry readiness on the RBI directive on card-on-file tokenization.
MPAI and ADIF said that ‘ecosystem readiness’ is a sequential process of going live with stable API (application programming interface) documentation for tokenised transactions.
The digital payments ecosystem is a long way from consumer-ready solutions and unless regulated entities are compliant, merchants will not be able to successfully process tokenised transactions, they said in the joint letter.
-
“ETtech is a sharply-focused lens that brings alive India’s tech businesses & dynamic world of startups”
Kunal Bahl, Co-Founder & CEO, Snapdeal
-
“I read ETtech for in-depth stories on technology companies”
Ritesh Agarwal, Founder & CEO, Oyo
-
“I read ETtech to understand trends & the larger India technology space, everyday”
Deepinder Goyal, Co-founder & CEO, Zomato
“In the scenario that banks are lax on preparedness, the brunt of that will be borne by merchants in the form of loss of revenue – we are looking at revenues losses of anywhere between 20-40 per cent at the minimum should that be the case,” said Sijo Kuruvilla George, Executive Director, ADIF.
The RBI in September prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of CoF tokenization as an alternative to card storage.
The industry bodies said that if implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants.
“This unpreparedness will impact recent digital payments adopters even deeply. The frequency and intensity of phishing attempts will go as entire card details are to be entered for each transaction, causing a significant increase in irreversible fraudulent transactions,” said Vishal Mehta, Chair of Governing Council, MPAI.
Based on the set of guidelines that have been mandated by the RBI, sensitive customer information is to be stored in the form of an encrypted ‘token’ to help secure transactions.
These tokens then allow payments to be processed without disclosing the customer details or allowing the payment intermediaries to store customer data that could breach security and privacy.
