March 24, 2023

Card tokenisation last date put off by 6 months – Times of India

MUMBAI: E-commerce companies and other establishments that accept payment online will now have six more months before they have to delete credit card data from their systems. The Reserve Bank of India on Thursday said that it was extending by six months its deadline for non-bank payment aggregators and merchants to purge card data they have already stored.
The central bank also allowed the payment industry to devise new methods to handle recurring payments and equated monthly instalment (EMI) payments without storing cards. On March 31st 2021, the RBI had asked all non-bank payment system participants and merchants to purge card data from their systems by December 31, 2021.
Online billers, including e-commerce companies, ticketing services and other providers, have been storing credit card data in their customers’ accounts so that customers do not have to key in card data every time they make payments. The RBI does not want entities it does not regulate to store card information as some merchants store millions of card information and a breach could result in card information being exposed.
According to central banking sources, the number of malware attacks on business establishments is on the rise.
To ensure that card data is not put at risk and at the same time ensure that the customer is not inconvenienced, the RBI has come out with tokenisation guidelines. Here the customer authorises the bank or payment network (Visa, Mastercard, Rupay) to issue a token to the merchant, which corresponds to their account. The merchant then uses the token in place of the card for accepting payments and processing refunds. If the merchant’s servers are breached and token data is stolen, it cannot be used by the hacker.
“We would like to thank RBI for giving industry this much needed time to scale up its efforts and work towards achieving the true intent of this guideline. PCI will work with the industry and RBI to come up with solutions to handle any use cases such as refunds and post-transaction activity, including chargeback handling, dispute resolution, reward/loyalty programme that currently requires the storage of card data by entities other than card issuers and card networks,” said Vishwas Patel, director Infibeam Avenues and chairman of the Payments Council of India.
“As an industry, we are firmly committed to achieving the RBI vision of enhanced customer protection of customer card credentials and have all embarked on that journey,” said Srinivasu MN, Founder, Billdesk and Co-chair of the BBPS committee at PCI. He said the industry will use the next six months to implement appropriate uniform solutions for seamless migration for cardholders as well as ensuring adequate security for storage.

Leave a Reply

Your email address will not be published. Required fields are marked *