Reserve Bank of India (RBI) headquarters in Mumbai
Courtesy: Punit Paranjpe

RBI extends card tokenization deadline to June 30, 2022 after industry request

The Reserve Bank of India (RBI) has pushed out the deadline for card tokenization by six months, to June 30, 2022. The RBI’s new guideline, which mandates all merchants and payment gateways to erase sensitive customer data and utilize encrypted tokens to handle transactions, was originally set to take effect on January 1, 2022.

Reserve Bank of India (RBI) headquarters in Mumbai
Courtesy: Punit Paranjpe

Ecommerce businesses and others who keep such consumers’ credit or debit card information now have additional six months to comply with the new guideline. The RBI has introduced a slew of changes in recent years to regulate India’s fintech ecosystem. One of the most recent was meant to control payment aggregators (PAs) and e-commerce merchants by restricting them from storing card information.

RBI in a new circular said, “In light of various representations received in this regard, we advise that the timeline for storing of card-on-file [CoF] data be extended by six months, till June 30, 2022… and in addition to tokenization, industry stakeholders may devise alternate mechanisms to handle any use case or post-transaction activity that currently requires the storage of CoF data by entities other than card issuers and card networks.”

The announcement comes after concerns were raised by industry bodies such as the Alliance of Digital India Foundation (ADIF) and the Merchant Payments Alliance of India (MPAI) regarding the industry’s readiness for change.

The central bank has now authorized the digital payment providers to introduce new methods for processing recurring and EMI payments without storing cards data. It has instructed all non-bank payment system participants as well as merchants to delete card data from their systems by June 30, 2022.

Card tokenization simply means replacing actual card information with a unique alternate code called a ‘token.’ The new feature would be a combination of cards, identifiable devices, and token requestors, with card networks including Mastercard, Rupay, Visa, among others at the core of payment services.

So far, numerous service providers have moved toward tokenization, including Google Pay, which has announced that it will not collect card data and has asked customers to tokenize their cards in order to preserve a seamless flow of transactions. It also teamed up with Mastercard to comply with RBI’s guidelines.

PhonePe announced the introduction of its SafeCard, a tokenization solution for online debit and credit card payments, a few weeks ago. The SafeCard feature will enable recurring payments more conveniently and securely by allowing digital payment providers to store card information in form of tokens. PineLabs has also introduced Plural Tokenizer, a CoF tokenization system that will replace the cardholder’s or credit and debit card details. The National Payments Corporation of India (NPCI) unveiled the NPCI Tokenisation System (NTS) in October, which will tokenize and mask the actual RuPay card credentials (CoFT: card-on-file tokenization). RuPay cards can be tokenized using the NTS that will protect user data and privacy.

Customers of major online marketplaces which include Amazon, Meesho, and Zomato would have been impacted if the deadline was not extended, since these platforms would have had to purge customer card information. They must still proceed toward tokenization by having access to major card networks allowing them to issue tokens on behalf of card-issuing financial institutions or businesses.