RBI Update: Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)]

Reserve Bank of India (RBI) circulars  dated March 17, 2020 and  dated March 31, 2021 on “Guidelines on Regulation of Payment Aggregators and Payment Gateways”, and  dated September 07, 2021 on “Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services”.

In terms of these circulars, with effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the CoF data, and any such data stored previously shall be purged. Subsequently, to allow more time to the industry stakeholders for devising alternate mechanism(s) to handle any use case or post-transaction activity, this timeline was extended to June 30, 2022, vide circular dated December 23, 2021 on “Restriction on storage of actual card data [i.e. Card-on-File (CoF)]”.

 It is observed that considerable progress has been made in terms of token creation. Transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants. Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”) has not been implemented by the industry stakeholders, so far.

It has been decided to extend the timeline for storing of CoF data by three months, i.e., till September 30, 2022, after which such data shall be purged.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these

Skip to content