The Reserve Bank of India (RBI) on Thursday extended the deadline for wiping off card data on merchant sites and applying tokenisation by another six months as merchants and payments companies expressed their inability to meet the December 31 deadline.
In a statement on its website, the central bank said “at the request of industry stakeholders”, the timeline is being extended until June 30, 2022.
After that, all card data “shall be purged”. In addition to tokenisation, industry stakeholders must devise an alternative mechanism to handle recurring e-mandates, equated monthly instalment (EMI) options, etc. or any post-transaction activity that currently involves the storage of card-on-file data by entities other than card issuers and card networks.
On March 17, 2020, the central bank had said from June 30, 2021, merchant websites and payment aggregators should not store customer card data.
At the request of merchants and payment aggregators as well as card companies and banks, this timeline was extended until December 31, 2021. In order to avoid inconveniencing customers, the central bank on September 7 this year introduced card-on-file tokenisation (CoFT) services.
Ashish Agarwal, vice-president and head of policy, Nasscom, said this extension was valuable and would mitigate business and payments risks for customers.
“We really hope the Banks and other ecosystem players look at this extension with responsibility and comply with the timeline now.”
Sijo Kuruvilla, executive director, Alliance of Digital India Foundation, said “thanks to the RBI for listening to stakeholders and acknowledging the readiness challenges. The extension gives a breather to all players in the payment ecosystem.”
Tokenisation refers to the technology of substituting sensitive card data with random numbers. The merchant sites get this random set of numbers while processing is done by the card-issuing bank or the card company such as Visa, MasterCard, or Rupay.
Card on file tokenisation (CoFT) is used to register card data with a merchant site in a manner that the basic details reside with the card company or the issuer bank, but not with the merchant, so that the customer does not have to key in his or her details every time for a transaction.
The deadline for card tokenisation had created problems in the payments industry because not all banks and payment companies were ready with the infrastructure. Many customers who were upset with the RBI decision to change the recurring payments to a consent-based system were not willing to tokenise their card details for the new system.
Besides, most merchants and even banks were not prepared to switch to the new system on time. The payments industry had lobbied for two years at least for a smooth transition, according to reports.
In a status check report earlier this week, Business Standard quoted Sanjeev Moghe, executive vice-president and head (cards and payments), Axis Bank, who said some merchants had completed the changes for customers to tokenise their cards, and many others were expected to be ready by the end of the year with the proposed changes.
Vishwas Patel, chairman, Payments Council of India (PCI), and director, Infibeam Avenues, however, said: “A few card-issuing banks are not ready, and some merchants are taking time, so it might be a challenge for the ecosystem to go live from January 1, 2022.”
The tokenisation services of Visa and Mastercard have been tested in other countries. Rupay was also ready with its technology, but it was untested, being the newest card network, mainly concentrated on India.
According to food delivery and e-commerce executives, even as payments firms are ready with the technology, customers are not.
“We are ready with our solution. However, we are unable to offer it to most card customers because the upstream support for all banks and card networks is far from 100 per cent,” said an executive at a food delivery unicorn.
Rameesh Kailasam, chief executive officer and president of IndiaTech.org, an industry association representing India’s technology start-ups, unicorns, and investors, said: “All banks, processing banks that process tokens, payment networks, payment processors, and millions of merchants have to build support to fetch tokens, purge card data, and rewire internal logic. This will take time. Ideally, a graduated process is the need of the hour and while the RBI had given enough time, clarity emerged largely around September.”
But companies had started their own tokenisation solutions. PayU, an online payment solution provider, has launched “PayU Token Hub”, which offers both network tokens and issuer tokens under a single hub.