The Reserve Bank of India (RBI) has extended the card on file tokenisation deadline by another three months to September 30 as transaction processing using the tokens is yet to gain traction.
“The industry stakeholders have highlighted some issues related to implementation of the framework in respect of guest checkout transactions. Also, number of transactions processed using tokens is yet to gain traction across all categories of merchants,” said the RBI on Friday.
“Given the above, it has been decided to extend the timeline for storing of CoF data by three months, that is till September 30, 2022, after which such data shall be purged,” said the RBI.
The previous deadline was June 30 and banks, payment players and merchants were gearing up to meet the norms, although many smaller players were still struggling to put in place the required infrastructure.
Initially, the RBI had set a deadline of December 31, 2021, to implement card on file tokenisation, after which entities other than card networks and card issuers could not store card data.
Card on File Tokenisation refers to a process where cardholders can create tokens, or a unique alternate code in lieu of card details; these tokens can then be stored by the merchants for processing transactions in future. This helps prevent fraud and leakage of card data while enhancing convenience. It is, however, a voluntary process.
The RBI noted that till date 19.5 crore tokens have been created. It also urged cardholders to tokenise their cards for their own safety.
“Cardholders’ payment experience will be enhanced through an added layer of security by way of tokenisation,” said the RBI.
Many industry players were hoping for a further extension and welcomed the move.
Vishwas Patel, Executive Director, Infibeam Avenues and Chairman, Payment Council of India (PCI), said the extension of three months will provide breathing space for all parties involved to comply with the tokenisation norms.
“It will surely help in a smoother transition. PCI has been in discussions with its members, and it has been observed that while the overall industry was striving and committed to meet the timeline, certain issues have emerged in the final roll out. Solutions required to resolve the issues were being actively worked on but were to be primarily resolved by the networks, issuers and acquirers within the ecosystem,” he said.
The timeline to implement the fixes was very close and the industry perceived a risk to the overall readiness for a smooth transition to the tokenisation framework, he further said.
The RBI said the extended time period can be utilised by the industry forfacilitating all stakeholders to be ready for handling tokenised transactions; processing transactions based on tokens; implementing an alternate mechanism to handle all post-transaction activities (including chargeback handling and settlement) related to guest checkout transactions, that currently involve / require storage of CoF data by entities other than card issuers and card networks; and creating public awareness about the process of creating tokens and using them to undertake transactions.