The Reserve Bank of India (RBI) on Thursday extended the card tokenisation --hiding of actual card details with a unique token -- deadline by 6 months till 30 June, 2022, which comes as a major relief for online shoppers.
Earlier, the central bank had given the deadline of December 31, 2021.
Card-on-file, or CoF, refers to card information stored by payment gateway and merchants to process future transactions.
In a statement, RBI said,"The timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged."
"In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or posttransaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks," it added.
Following the RBI announcement, Payments Council of India (PCI), the representative body of payment system participants, welcomed the decision of the central bank.
Welcoming the RBI notification PCI Chairman and Director, Infibeam Avenues, Vishwas Patel said “PCI will work with the industry and RBI to come up with solutions to handle any use cases such as refunds, emanates and post transaction activity including chargeback handling, dispute resolution, reward / loyalty programme, etc., that currently involves / requires storage of CoF data by entities other than card issuers and card networks”
The RBI in September prohibited merchants from storing customer card details on their servers with effect from January 1, 2022, and mandated the adoption of CoF tokenisation as an alternative to card storage.
Lately, merchants have sought at least six more months to implement tokenisation as its enforcement may cause major disruptions, erode trust in digital payments and loss of revenue.
Citing several operational challenges, industry associations – Merchant Payments Alliance of India (MPAI) and Alliance of Digital India Foundation (ADIF) – had requested the RBI to extend the December 31 deadline for implementation of norms related to tokenisation of card transactions.
MPAI is a consortium of merchants who accept digital payments and counts Microsoft, Netflix, Spotify, Zoom, BookMyShow, Disney+Hotstar, Policybazaar and Times Internet among its members. Alliance of Digital India Foundation (ADIF) is a think-tank for digital start-ups, whose members include Paytm, Matrimony.com, GOQii and MapmyIndia.
Furthermore, Industry body CII has earlier stated that online merchants can lose up to 20-40 per cent of their revenues due to the RBI order.
The value of the Indian digital payments industry in 2020-21, as per the RBI's annual report, was Rs 14,14,85,173 crore, it said adding that digital payments have triggered and sustained economic growth, especially through the trying times of the pandemic.
India has an estimated 98.5 crore cards, which are used for about 1.5 crore daily transactions worth Rs 4,000 crore, CII said.
Tokenisation is the replacement of actual card details with an alternate code or token. Token shall be unique for each combination of cards, token requestor and device. Token requestor is the entity that accepts request from the customer for tokenisation of a card and passes it on to the card network to issue a corresponding token.
The central bank aims to extend the device-based tokenisation framework referred to Card-on-File Tokenisation (CoFT) besides permitting card issuers to offer card tokenisation services as Token Service Providers (TSPs).
Tokenisation can only be performed by the list of card networks authorised by the RBI to do so. It is allowed through mobile phones and/or tablets for all use cases/channels like contactless card transactions, payments using QR codes, apps, etc., as per an RBI FAQ on the same.
A tokenised card transaction is considered safer as the card details are not shared with the merchant during transaction processing. The cardholder can get the card tokenised by initiating a request on the app provided by the token requestor.
The token requestor will forward the request to the card network, which, with the consent of the card issuer, will issue a token corresponding with the combination of the card, the token requestor, and the device.