PremiumListen to this article |
The Reserve Bank of India (RBI) on Thursday extended the deadline to comply with new card storage rules by six months to June, following requests from industry bodies and other stakeholders.
“In light of various representations received in this regard, we advise...the timeline for storing of card on file data is extended by six months till 30 June 2022; post this, such data shall be purged," it said.
In March 2020, RBI issued norms for regulating payment aggregators and payment gateways, barring them from storing customer card credentials on their database or server from 30 June as a financial security measure. The regulator extended the deadline by six months to 31 December a year later. Referred to as tokenization, the process involves replacing actual card details with a unique alternative code called the token.
On Thursday, RBI said that in addition to tokenization, industry stakeholders may devise alternative mechanisms to handle any use-case that currently involves the storage of card data by entities other than card issuers and card networks.
Mint reported on Thursday that merchants are grappling with major technology integration challenges as they scramble to comply with the tokenization deadline.
Two industry associations, Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF), have expressed concern over the industry’s readiness for tokenization. In a joint statement on Wednesday, they said they requested RBI for an extension of the 31 December deadline to implement card data storage norms. The two bodies said they sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and payment aggregators/payment gateways, as well as the generation of consumer awareness about the impact of the policy change.
“This policy change affects three major players: banks, intermediary payment systems, and merchants. Merchants cannot start the testing and certification of their payment processing systems until banks, card networks, and payment gateways are certified and live with stable APIs for consumer-ready solutions," the statement said.
Some companies, however, have already launched tokenization services.
The National Payments Corp. of India (NPCI) has partnered with brands and aggregators such as Bigbasket, to introduce a tokenization facility.
Reacting to the extension, Ashish Aggarwal, vice-president (public policy) at Nasscom tweeted, “This extension is very valuable and will mitigate business and payments risks for customers. We really hope the banks and other ecosystem players look at this extension with responsibility and comply within the timeline now."
