In January 2019, the Reserve Bank of India (RBI) released guidelines on tokenisation for debit, credit, and prepaid card transactions. In March 2021, it asked all financial players to move towards tokenisation by 31st December 2021. Now, ecommerce companies and others, who store such users’ card data, have another six months to comply with the rules.
Aimed at regulating India’s fintech ecosystem, the RBI had brought in a slew of changes in the past few years. The recent one among these was aimed to regulate payment aggregators (PA) and ecommerce merchants, restricting them from storing card data. In March, it had said, “With effect from January 1, 2022, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data. Any such data stored previously will be purged.”
Now, the central bank also allowed the payment industry to devise new methods to handle recurring and EMI payments without storing cards. It has asked all non-bank payment system participants and merchants to purge card data from their systems by June 30, 2022.
Tokenisation involves replacing actual card details with a unique alternate code — ‘token’. The novel feature would be a combination of card, token requestor and identified device, with card networks such as Visa, Mastercard and others at the centre of payment services.
To date, several firms have moved towards tokenisation, including Google Play stating that it will not collect card data, asking users to move towards tokenisation of cards to maintain a smooth flow of transactions. It also partnered with Mastercard for the same.
A few weeks ago, PhonePe announced the launch of its SafeCard — a tokenisation solution for online debit and credit card transactions. PhonePe’s SafeCard will make recurring payments convenient and safe, by allowing payment providers to save cards using tokens. This solution supports all major card networks such as Mastercard, Rupay, and Visa. PineLabs, too, launched Plural Tokenizer, a CoF tokenisation solution that will replace the debit or credit card details of the cardholder.
Delhi NCR-based fintech PayU on the other hand launched “PayU Token Hub”, enabling businesses to comply with RBI’s guidelines on online card data storage whilst allowing issuing banks to also generate their tokens.
In October, the National Payments Corporation of India (NPCI) launched the NPCI Tokenisation System (NTS), which will tokenise and mask the real RuPay card details (CoFT: card-on-file tokenisation). With the NTS, RuPay cards can be tokenised to protect customer data and privacy.
Without the deadline, customers of major online digital platforms such as Amazon, Zomato, Meesho would be affected, since these marketplaces would have had to delete customer card data. They still need to move towards tokenisation, enabling access to card networks such as Visa, Mastercard and RuPay to issue tokens on behalf of the card-issuing banks or companies.
The Payments Council of India (PCI) welcomes the deadline stating that it would help “payments system participants and merchants to implement comprehensive card-on-file solutions”. The industry will utilise the next six months to implement appropriate uniform solutions for seamless migration for cardholders as well as ensuring adequate security for storage, it added.