Reserve Bank Of India (RBI)to hold fire on the decision of card on file (CoF) tokenization for six months to June 30, 2022. Earlier, the deadline was December 31, 2021.
The decision came when the Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) posited their concerns over industry readiness on the recent Reserve Bank of India (RBI) directive on card-on-file tokenization (CoF) and wrote to the Central bank requesting an extension of the 31 December deadline for implementation of card data storage norms. MPAI and ADIF have in their letter underlined numerous operational challenges that will obstruct the transition to the token-based payments ecosystem.
“In light of various representations received in this regard, we advise as under:
- The timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged; and
- In addition to tokenization, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/loyalty programme, etc.) that currently involves/requires the storage of CoF data by entities other than card issuers and card networks.
This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007)” Sudhanshu Prasad, general Manager (Officer in Charge) mentioned in the notice released on the official Twitter handle of RBI today.
Restriction on storage of actual card data [i.e. Card-on-File (CoF)]https://t.co/14RFkpDpZl
— ReserveBankOfIndia (@RBI) December 23, 2021
Sijo Kuruvilla George, Executive Director, Alliance of Digital India Foundation said, “In the scenario that banks are lax on preparedness, the brunt of that will be borne by merchants in the form of loss of revenue – we are looking at revenues losses of anywhere between 20-40% at the minimum should that be the case. It’s also important to note that it’s only after the readiness of bank, card networks and API’s are made available that merchants are even able to take effective measures on their part to comply.”
What is Tokenization?
Tokenization is the process of exchanging sensitive data for non-sensitive data called ‘tokens’ that can be used in a database or internal system without bringing it into scope. Unlike encrypted data, tokenized data is undecipherable and irreversible. This distinction is particularly important: Because there is no mathematical relationship between the token and its original number, tokens cannot be returned to their original form without the presence of additional, separately stored data. As a result, a breach of a tokenized environment will not compromise the original sensitive data.