Banks want more time to meet card-on-file tokenisation norms

Tokenisation is the process of replacing the debit and credit card numbers with a set of characters or tokens

Ishaan Gera Manojit Saha New Delhi/ Mumbai

3 min read Last Updated : Dec 11 2021 | 12:49 AM IST

Some of the commercial banks are likely to miss the December 31 deadline set by the Reserve Bank of India (RBI) to comply with the card-on-file tokenisation norms that were announced in early September.

The banking regulator has instructed that only card-issuing banks and payment networks are allowed to store customer data from January 1, 2022, and all other entities in the payment chain will have to purge all previously stored data.

According to banking sources, most large banks and payment networks like Visa, Mastercard, and Rupay of the National Payment Corporation of India (NPCI) are ready to meet the deadline. Some mid- and smaller size banks, however, are not ready.

“Some of the card-issuing banks have requested the deadline to be extended,” said a source with direct knowledge of the issue.

On Friday, the banking regulator held a meeting with some of the stakeholders. “The RBI took updates from the players on their readiness,” the source said.

“The main work of tokenisation is done by the payment networks and the issuing banks. Once their systems are ready, they give it to the aggregators and merchants to implement,” a second source said.

Tokenisation is the process of replacing the debit and credit card numbers with a set of characters or tokens. This is mainly done for making the payments process more secure. Tokenisation is currently done by payment aggregators free of cost.

TAKING STOCK

Deadline to comply with the norms ends on December 31

Some mid- and smaller size banks have requested to extend the deadline

RBI meets stakeholders to take stock

RBI found that many entities involved in the card payment transaction chain store actual card details that lead to incidents of data leaking

While observing that many entities involved in the card payment transaction chain store actual card details, the RBI had said such customer details with a large number of merchants substantially increases the risk of card data being stolen.

There have been some recent incidents where card data stored by some merchants have been compromised or leaked.

“Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an Additional Factor of Authentication (AFA) for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques,” the RBI had said.

“We have asked the members for their readiness and give us an updated status so that we can go to the RBI with correct status of our members and there is a smoother transition to tokenisation by January 1, 2022,” said Vishwas Patel, chairman of the Payment Council of India, an apex body representing companies in payments and settlement system, told Business Standard.

The RBI, while allowing only card-issuing banks and merchant networks to store data, had clarified that for transaction tracking and reconciliation purposes, entities can store limited data — the last four digits of actual card number and the card issuer’s name.

“Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks,” the regulator had added.