The authorized Payment Aggregators (PAs) nor the merchants on-boarded by them can store customer card credentials within their database or server.
Based on the representations received from the industry seeking additional time for implementing the above instructions, it has been decided, as a one-time measure, to extend the timeline for non-bank PAs by six months, i.e., till December 31, 2021, to enable the payment system providers and participants to put in place workable solutions, such as tokenisation, within the framework set out in the circular dated March 17, 2020 and our circular dated January 08, 2019 on “Tokenisation – Card transactions”. All other provisions of the circular dated March 17, 2020, shall remain unchanged.