Banks, online merchants race to comply with RBI card data storage norms

New rules for banks, merchants & stakeholders kick in from January 1

With less than a fortnight to go before the new card data storage norms of the Reserve Bank of India (RBI) kick in on January 1, banks, merchants, and other stakeholders are racing against time to comply with the central bank’s diktat to ensure a smooth transition to the new regime.

Players in the ecosystem would have liked more time for this, but given the strong stance the RBI has taken, they are working towards meeting the deadline, experts said.

According to the norms, merchants, payment aggregators, and acquiring banks can no longer store the card details of customers. Under the new guidelines, only card issuers and card networks will be able to store them. Merchants and other entities that have stored the card details of customers will have to purge the data.

Many merchants have started complying with the norms. Hence, a number of them are asking their customers if they want to store their card details in a secured manner or in a tokenised format. Tokenisation is the replacement of an actual or clear card number with an alternative code called the “token”.

Once created, the tokenised card details will be used in place of an actual card number for online purchases initiated or instructed by the cardholder. Customers do not have to pay for the service of tokenising their cards.

It is not mandatory for customers to tokenise their cards. If their card is not tokenised, from January onwards the cardholder has to enter the card number, card verification value (CVV), and expiry date to complete online transactions.

Therefore, even if one does not tokenise one’s card, the transactions will go through but will not be a seamless/one-click checkout process.

Responding to a Business Standard query, Sanjeev Moghe, executive vice-president and head (cards and payments), Axis Bank, said the bank was in the process of making changes to be compliant with the new guidelines.

“Some merchants have completed the changes and customers can tokenise their cards and save details even now at these merchants. More merchants are expected to be live by the end of the year with the proposed changes. We are communicating this to our customers through SMS and emails, and have also created detailed FAQs for customers,” he said.

HDFC Bank, the largest card issuer in the country, has reached out to its customers, saying effective January 1, their card details saved on merchant websites/apps will go. 

Vishwas Patel, chairman, Payments Council of India (PCI), and director, Infi­beam Avenue, said: “A few card-issuing banks are not ready, and some merchants are taking time, so it might be a challenge for the ecosystem to go live from January 1, 2022.”

 A top executive at a payment aggregator company said the united payments interface (UPI) and net banking will cannibalise card transactions in the first couple of months after the tokenisation rule sets in. Although issues with the top use-cases in card payments have been fixed by e-commerce merchants, banks, and card networks, glitches in small use-cases like EMI payments and offer-linked payments are still being ironed out. “The tokenisation systems of MasterCard and Visa have been implemented in other countries, while Rupay’s tokenisation tech is being untested. We will know whether there is a disruption or not on January 1,” he said.

An executive at a food delivery unicorn said: “We are ready with our solution. However, we are unable to offer it to most card customers because the upstream support for all banks and card networks is far from 100 per cent.”

Rameesh Kailasam, chief executive officer and president of IndiaTech.org, an industry association representing India’s technology start-ups, unicorns and investors, said: “All banks, processing banks that process tokens, payment networks, payment processors, and millions of merchants have to build support to fetch tokens, purge card data, and rewire internal logic. This will take time. Ideally a graduated process is the need of the hour and while the RBI had given enough time, clarity emerged largely around September.”

Worldline India has developed a tokenisation solution for businesses to comply with the RBI’s norms.

Jagdish Kumar, vice-president (products and solution, digital commerce), Worldline India, said: “As far as card networks and gateways are concerned, most are ready. Though everybody would have loved a little more time, all are working towards the deadline. When it comes to merchants, they will be in compliance before the deadline. As for big merchants, they are in the integration and testing phases. They should go live this week.”

Following the RBI’s mandate on storage of card details, many companies have launched their tokenisation solutions. PayU, an online payment solution provider, has launched “PayU Token Hub”, which offers both network tokens and issuer tokens under a single hub.