Banks want more time to meet card-on-file tokenisation norms | Business Standard News

Clipped from:, lendingThere have been some recent incidents where card data stored by some merchants have been compromised or leaked

Some of the commercial banks are likely to miss the December 31 deadline set by the Reserve bank of India (RBI) to comply with the card-on-file tokenisation norms that were announced in early September.

The banking regulator has instructed that only card issuing banks and payment networks are allowed to store customer data from January 1, 2022, and all other entities in the payment chain will have to purge all previously stored data.

According to banking sources, most large banks and payment networks like Visa, Mastercard and Rupay of National Payment Corporation of India (NPCI) are ready to meet the deadline. Some of mid and smaller size banks, however, are not ready.

“Some of the card issuing banks have requested the deadline to be extended,” said a source with direct knowledge of the issue.

On Friday, the banking regulator held a meeting with some of the stakeholders. “RBI took updates from the players on their readiness,” the source said.

“The main work of tokenisation is done by the payment networks, and the issuing banks. Once their systems are ready then give it to the aggregators and merchants to implement,” a second source said.

Tokenisation is the process of replacing the debit and credit card numbers with a set of characters or tokens. This is mainly done for making the payments process more secure. Tokenisation is currently done by payment aggregators free of cost.

While observing that many entities involved in the card payment transaction chain store actual card details, RBI had said such customer details with a large number of merchants substantially increases the risk of card data being stolen.

There have been some recent incidents where card data stored by some merchants have been compromised or leaked.

“Any leakage of CoF data can have serious repercussions because many jurisdictions do not require an AFA [Additional Factor of Authentication] for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques,” RBI had said.

“We have asked the members for their readiness and give us an updated status so that we can go to RBI with correct status of our members so that there is a smoother transition to tokenization by 1st January 2022,” said Vishwas Patel, chairman Payment Council of India – an apex body representing companies in payments and settlement system, told Business Standard.

RBI, while allowing only card issuing banks and merchant networks to store data, had also clarified for transaction tracking and reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name.

“Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks,” the regulator had added.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s