RBI proposes to restrict payment aggregators from storing debit, credit card data from Aug 2025

The Reserve Bank of India will be tightening regulations for payment aggregators with the new draft regulations for non-banking entities. Under the new draft rules, payment aggregator firms will not be allowed to store card debit and credit cards on file (COF) data from August 1, 2025. The only entities allowed to store the COF data will be card issuers and card networks such as VISA, Mastercard and bank, says the RBI's draft circular. 

“For face-to-face/proximity payment transactions done using cards, from August 1, 2025, no entity in the card transaction/payment chain, other than the card issuers and / or card networks, shall store the CoF data," the RBI said in a circular.

Previously stored data must be deleted. Entities can retain limited data like the last four digits of a card number and the card issuer's name for transaction tracking or reconciliation. Implementation of these regulations will follow stakeholder feedback as they are currently in the 'draft' stage.

The draft rules also stated that non-banking entities that fail to apply for authorisation and maintain a net worth of Rs 15 crore will have to close their operations by July 31, 2025. 

It is to be noted that in September 2022, the central bank restricted offline payment aggregators such as those entities aggregating offline credit and debit card payments e.g swipes at physical merchant stores, shall not store the customer card credentials within their database or the server accessed by the merchant. They shall comply with data storage requirements as applicable to Payment System Operators (PSOs).

The RBI said: "Payment Aggregators (PAs) play an important role in the payments ecosystem and hence were brought under regulations in March 2020 and designated as Payment System Operators (PSOs). The current regulations are, however, applicable to PAs processing online or e-commerce transactions. These regulations do not cover offline PAs who handle proximity/face-to-face transactions and play a significant role in the spread of digital payments. Keeping in view the similar nature of activities undertaken by online and offline PAs, it is proposed to apply the current regulations to offline PAs as well."

What does this mean

Companies processing  point-of-sale (POS) payments must obtain an RBI permit by May 2025 to comply with regulatory standards. Failure to secure authorization will result in the cessation of services, as outlined in the draft regulations. 

Entities offering services must have a minimum net worth of Rs 15 crore for RBI authorisation. By March 2028, they must maintain a minimum net worth of Rs 25 crore as per the proposed regulations.

The RBI aims to enhance security to prevent fraud in POS transactions: PAs must join the Financial Intelligence Unit to report suspicious activities. Guidelines apply to both PA-P and PA-O. The RBI will ensure uniform rules for POS companies for fair competition, prioritising the safety of your money and reliable POS payments.