Extend compliance deadline for halting storage of card details: ADIF to RBI

Alliance of Digital India Foundation, representing over 250 digital start-ups, has urged the Reserve Bank of India to extend the compliance deadline on the norm prohibiting payment aggregators and payment gateways from storing card details.

Some of the group members include Paytm, SHEROES, MapMyIndia, DemandPay, Buy Me a Coffee, Innov8, Trulymadly, GOQii, and Matrimony.com, among others. ADIF has submitted that payment aggregators and payment gateways seem unlikely to be prepared for compliance with the norm by December 31, 2021 (current deadline). The industry body argued that enabling card on file tokenisation will require issuers and networks to do some work before the card of file tokenisation is ready. Post which, payment aggregators will again need some time to integrate and work with upstream and downstream partners.

They added that most industry players follow software code freeze processes during the festive season (September 2021 to December 2021) and thus do not implement any major changes, which would again increase the required compliance time. “The exact timelines may be provided on the basis of solution and readiness of all industry players,” said Sijo Kuruvilla, Executive Director, ADIF.

This RBI rule on stopping card storage was initially given an implementation deadline of July 2021 but was later extended to January 2022 following industry push.

Further, ADIF has also suggested partnering with banks to take care of RBI’s concerts around securing card details. The industry claims to have done a lot of work on this solution in the last few months. This solution broadly includes partner banks offering a secure vault system where individual card numbers would be encrypted and stored with a unique reference number or token for each card, device agnostic. The saved cards would then be aliased and returned in the form of tokens by the Bank to the merchants and payment aggregators.

“ADIF represents a group of over 250 technology companies which includes merchants and PAs (payment aggregators), and understands that the security of its customer’s details is paramount. The proposed solution has been suggested with utmost security in mind and we feel that this should take care of the concerns that RBI has with respect to securely handling the consumer’s card details,” Kuruvilla added.

Another industry association, Payments Council of India (PCI) had earlier claimed to be closely working with RBI on charting a roadmap of the possible solutions that would not require the industry to enter their card details every time they want to make an online purchase. PCI had said that these solutions will adhere to the security checks, controls and frameworks prescribed by RBI.

Another industry association, Indiatech.org, which represents companies such as Ola, hike, Makemytrip, and Nykaa, among others, has said in their submission to the central bank that companies that can afford industry certifications like Payment Card Industry Data Security Standard (PCI DSS) Level 1 should be allowed to save customer’s card details with necessary reporting and audit mechanisms built to inform RBI. Further, the industry association has also suggested that beyond-device tokenisation should be allowed.

Last week, RBI had extended the scope of tokenisation from mobile phones and tablets to include all consumer devices (such as laptops, desktops, wearables, and IoTs etc), a move welcomed by the industry. The central bank’s motive to bring these rules on card details storage was to guard customer data against tech companies frequent data breach cases.

COMMENT NOW