Published On: 26 Dec 2021
RBI has provided leeway of 6 months for the card tokenisation process to be implemented, with the new deadline of June 30, 2022.
In March 2020, RBI had announced the intention of replacement of actual card details with an alternate, unique, code called the ‘token’. This was detailed under the ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’, which prohibited the non-bank payment aggregators and merchants to store credit card and debit card information of customers within their servers and/or database from 30th June, 2021. This is mainly to safeguard customer’s financial and personal information from misuse. The two leading industry associations, Alliance of Digital India Foundation and the Merchant Payments Alliance of India, had jointly raised their apprehensions over the lagging preparedness of the industry to adhere to this new process, following which the deadline had been pushed to 31st December 2021.
At further insistence of the industry bodies, more time was sought for merchants to comply with the new guidelines. The challenges cited were the readiness of the entire payment ecosystem, which involves banks, card networks, payment aggregators, and payment gateways. An important additional factor is propagating consumer awareness about the policy change and associated impact thereof.
The latest statement released by RBI in this regard confirms the extension of the current existing process of storing card data till 30th June 2022. After the said date, all data shall be deleted, and the new process will be enforced into action. This has come as a respite for most merchants and payment aggregators who can now work ardently towards gearing up their technical infrastructure to comply with the guidelines.
Consumers should note that in the new system (once implemented) all purchases will be initiated with a token, which will require your consent. Once consent has been provided, the merchant will be required to send the tokenisation request to the card issuer. The next steps include the issuer to create a token to serve as an alternative to your actual card. This is the token that the merchant is entitled to store for all future transactions since a lot of user information will be masked in it. The authentication process using CVV and OTP remain unchanged.