Only card firms, banks to keep card details, others must purge data: RBI

The Reserve Bank of India (RBI) on Tuesday refused to extend its deadline for card tokenisation beyond the agreed January 1, 2022 date, scrapping single click purchases but still allowing customers to not go through the hassle of typing in card details for every transaction. 

Tokenisation is used in online transactions where the actual card details keyed in are replaced by random digits. Since the card details will not be saved with the merchants, except for the source banks and card issuers (such as Rupay, Visa, and Mastercard) the leakage of card details will be prevented as the database of the merchant will have random numbers instead of card details. 

However, the RBI also extended a service that will enable the user not to key in 16-digit card numbers and other details if she chooses so. Only the bank or the card issuer can enable or disable that service, and not the payment aggregators or the merchants. The card details saved with the payment aggregators and merchants will have to be scrapped.   

Saving of card details is called card on file (CoF), and the banks and card networks can do the tokenisation as token service providers (TSP). This Card-on-File Tokenisation (CoFT) service is being introduced by the RBI, enabling customer convenience while maintaining top level security.   

CoFT, “while improving customer data security, will offer customers the same degree of convenience as now. Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement,” the RBI said in a separate statement. 

The tokenisation has to be done based on customer consent, to be validated through an additional factor authentication, the RBI said in its notification.  

“With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data,” the central bank said in a statement, adding, “any such data stored previously shall be purged”.  

With this, the RBI extended the tokenisation mandate to every device that connects with the Internet, including mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc.   

This will come as a blow to payment aggregators who were lobbying for keeping card details saved with them or in the merchant sites they serve. One-click purchases will become difficult after this, as the customer will have to still provide a one-time password.   

However, for transaction tracking, or reconciliation purposes, entities can store the last four digits of the actual card number and card issuer’s name – “in compliance with the applicable standards.”  

The RBI also made card networks responsible for “complete and ongoing compliance with the above by all entities involved".  

The payments aggregators and gateways had argued that the industry follows the best practice and the RBI can always demand stricter norms, and the highest standards. They had demanded the RBI should let PCI DSS Level 1-certified merchants to store the card details. Level 1 is the highest standard available under PCI DSS, or Payment Card Industry Data Security Standard.