RBI extends deadline for card tokenisation by another 3 months till Sept 30

Encourages cardholders to tokenise data themselves for preventing fraud

The Reserve Bank of India (RBI) is extending the deadline for card-on-file (CoF) tokenisation by another three months to September 30 as transaction processing based on such tokens is yet to gain traction across categories of merchants.

It was mandated that no entity in the card transaction or in the payment chain, other than the card issuers and / or card networks, can store the CoF data, and any such data stored previously be purged. The initial deadline was January 1, which was extended by six months.

CoF refers to card information stored by payment gateway and merchants to process future transactions.

“…it has been decided to extend the timeline for storing of CoF data by three months, i.e., till September 30, after which such data shall be purged,” said a RBI notification.

After reviewing the situation, the regulator observed that considerable progress has been made in terms of token creation.

“Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”) has not been implemented by the industry stakeholders, so far,” the notification said.

It urged customers to tokenise data, saying it was necessary to prevent fraud.

“There have been instances where such data [card number, expiry date] stored by merchants, etc., have been compromised. Given the fact that many jurisdictions do not mandate additional factor of authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data,” RBI said in a statement.

Commenting that 1.95 million tokens have been created so far and it is voluntary for the customers, that is, those who do not wish to create a token can continue to transact as before by entering card details manually at the time of undertaking the transaction, RBI urged customers to tokenise the card data.

“The Reserve Bank encourages cardholders to tokenise their cards for their own safety. Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation,” the regulator said.

Vishwas Patel, chairman of Payment Council of India (PCI) and executive director of Infibeam Avenues, said the Council was in discussions with its members and it has been observed that while the overall industry was striving and committed to meet the timeline, certain issues had emerged in the final rollout. Patel said this extension of three months will provide breathing space for all parties involved to comply with the tokenisation norms and help in a smoother transition.

“Solutions required to resolve the issues were being actively worked on but were to be primarily resolved by the networks, Issuers and Acquirers within the ecosystem. The timeline to implement the fixes was very close to 30-Jun-2022 and hence the industry perceives a risk to the overall readiness for a smooth transition to the tokenisation framework,” Patel said.

The RBI said the industry should use the extended time to facilitate stakeholders to be ready for handling tokenised transactions. The extended timeline should also be used to implement an alternate mechanism to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve /require storage of CoF data by entities other than card issuers and card networks. The regulator also asked the payment players to create public awareness about the process of creating tokens and using them to undertake transactions.