Merchants, companies can’t store card data from Jan 1: RBI

What is the News?

Reserve Bank of India(RBI) has directed that no entity or merchant, other than card issuers and card networks, should store card details — or card-on-file (CoF) — from January 1, 2022. Simultaneously, it has also extended the tokenisation of CoF by card issuers.

Reasons for RBI’s Ban on Storing card data

The merchants, payments aggregators, and even payment gateway players who get to store the card data are not registered with the RBI. 

Hence, the objective of the RBI’s decision is to create a better security framework for digital transactions, which have accelerated post the pandemic.

What is the solution then?

RBI has permitted authorised card networks to offer card tokenization services to any token requestor. This will make the card transactions more safe, secure and convenient for the users. 

RBI’s Guidelines on Tokenization

The facility of tokenisation will be offered by the token service providers(TSPs) only for the cards issued by or affiliated with them.

Tokenization of card data shall be done with explicit customer consent, requiring additional factor authentication by the card issuer.

What is a Card on File(CoF) Transaction?

Card on File(CoF) Transaction is a transaction where a cardholder has authorised a merchant to store the cardholder’s Mastercard or Visa payment details.

Source: This post is based on the article “Merchants, companies can’t store card data from Jan 1: RBI” published in Indian Express on 8th September 2021.