The storage prohibition, originally to come into effect in June 2021, was deferred first to December 2021 and has now been deferred to June 2022 to give the market time to implement workable solutions while maintaining the seamlessness of card transactions. Since the notification of the PA PG Guidelines, the RBI has supported tokenisation as a viable solution.

Tokenisation refers to the conversion of customers’ card details to a unique token, which can be stored and used by merchants and intermediaries to execute card transactions with greater security and similar efficiency. To make tokenisation the industry norm and to complement the framework for device-based tokenisation (introduced in January 2019), the RBI issued a framework for CoF tokenisation in September 2021.

While many market players have indicated their in-principle readiness for tokenisation, several industry bodies, including the National Association of Software and Service Companies and the Alliance of Digital India Foundation, requested for a phased implementation of the data storage prohibition and the tokenisation mandate. They pointed out that the technological infrastructure required for tokenised card transactions had not yet been put in place by a number of participants in the transaction chain. Even for merchants that had the technical capability, the process remained incomplete as most cardholders had not consented or been migrated to the tokenised ecosystem. Thus, if card details were to be purged without being tokenised, cardholders would need to provide card details for each transaction, likely resulting in a significant fall in the number of card payments. Smaller merchants that have struggled to implement tokenised card transactions within the timeframe would be the most affected.

Industry representatives pointed out that the framework did not indicate how card payments such as e-mandates, EMIs, refunds, cashbacks and guest checkouts were to be processed. Such payments are typically processed by the merchant using the card details stored on its server. While the PA-PG Guidelines allowed storage of card credentials for a limited period for the purpose of transaction tracking and/or reconciliation, the guidelines on CoF tokenisation only allow the storage of the last four digits of the card number, which are allegedly inadequate for a merchant to process any subsequent transaction with a customer.

Crucially, besides deferring the timeline for the deletion of card data, the RBI has advised stakeholders to devise alternative mechanisms, in addition to tokenisation, for any use-case or post-transaction activity that currently involves storing card data. While the RBI maintains that merchants cannot store customer card data, alternative mechanisms may be developed to handle multiple use-cases, either linked to the payment transaction itself, such as recurring e-mandates and EMI transactions, or connected to post-transaction activities such as chargebacks, disputes, rewards and loyalty programmes. It is unclear what kinds of alternative mechanisms would be acceptable and whether they would need approval either by the RBI or by a licensed entity such as the card issuer or the card network.

The introduction of CoF tokenisation by the RBI was followed by the launch of several tokenisation-related offerings. The RBI’s latest clarification has been well received and the market may see the introduction of many more solutions that allow for the processing of card payments while minimising the exposure of card credentials.

This article was originally published in India Business Law Journal on 9 February 2022 Co-written by: Shilpa Mankar Ahluwalia, Partner; Shobhit Shukla, Associate. Click here for original article

Read Less-