Card tokenisation put off till June 30, 2022; RBI allows alternates

Heeding demands from stakeholders, the Reserve Bank of India (RBI) has extended the deadline for implementation of card tokenisation till June 30, 2022. The system, meant for protecting customers from frauds and data leaks, was originally meant to come into force from January 1, 2022.

Back in March last year, the central bank had prohibited payment aggregators and merchants from storing actual card data – the 16-digit permanent account number (PAN) of credit and debit cards, CVV number and expiration date – from June 30, 2021. This deadline was then extended till December 31, 2021 at the request of industry stakeholders. From the beginning of next year, merchants and card transaction platforms were supposed to delete all stored card data and replace the same with a 16-digit “token”, to be generated at a customer’s request.

However, several industry bodies had asked for time to implement card tokenisation on grounds of possible disruption and subsequent difficulties to customers as several small and medium players were still putting up infrastructure for facilitating card tokenisation. The switch to tokenisation was expected to create troubles for multiple players, including e-commerce firms, OTT platforms, as well as cause problems with EMI and buy-now-pay-later payments.

“In light of various representations received in this regard, we advise the timeline for storing of CoF data (Card-on-File data, referring to actual card details) is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged,” the RBI said in a statement on Thursday evening.

“In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks,” the banking regulator further added.

Card tokenisation refers to the process of replacing actual card details with an alternate code, called the “token”. This token would be a 16-digit code, unique for the combination of a credit or debit card, a token requestor, and a registered device.

Customers could also opt to reverse the process by converting their tokens back to actual card details, through a process called de-tokenisation. While, tokenisation is not mandatory, skipping this feature would have left customers without the security cover that comes with hiding card details.

Industry bodies, including the Indian Banks’ Association, Nasscom, Confederation of Indian Industry (CII), Merchant Payments Alliance of India (MPAI) and Alliance of Digital India Foundation (ADIF) had opposed the move to card tokenisation.

CII had estimated that 20-40% of online merchants would see loss of revenues on the back of disruption caused due to card tokenisation, forcing them, especially smaller ones, to shut shop.

According to the industry body, India has an estimated 98.5 crore cards, which are used for about 1.5 crore daily transactions collectively amounting to ₹4000 crore. RBI had pegged the value of Indian digital payments industry in 2020-21 at around ₹14.15 lakh crore.

Meanwhile, Nasscom and ADIF had sought phased implementation of card tokenisation over a period of two years, giving stakeholders time to install the required paraphernalia, ensuring a smooth transition.