Explainer: RBI's norms on card data storage and tokenization

Breaking down tokenization, RBI's rule on card data storage, and ADIF's recommendations.

What’s the RBI’s rule on card data storage?

In April 2020, the RBI issued new guidelines on the regulation of payment aggregators and payment gateways. As per the norms, merchant sites were mandated not to save customer card and such related financial data from July 2021.

Responding to this, top merchants including Amazon, Microsoft, Netflix, Flipkart and Zomato wrote to the RBI in February 2021 stating that these rules will hamper the customer payment experience on their platforms and appealed that they be allowed to store customers credit card data.

The RBI, however, rejected the demand.

In September 2021, the Central bank extended the deadline to January 1, 2022, and announced that it will allow card-on-file tokenisation for e-commerce companies.

As per the notification:

With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.

As per the new digital payments guidelines, the RBI permitted card networks/aggregators to offer card tokenisation services.

What exactly is tokenization?

Tokenization is basically the process of replacing card details with a unique code – generated by an algorithm. This is typically used to prevent credit card fraud. The token is used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.

The tokens are generated by a token service provider, which could be the card-issuing bank or payment networks like Visa, MasterCard etc. They provide these tokens to mobile payment or e-commerce platforms so that they can be used during transactions instead of the customer’s credit card details.

These tokens can thus be used for payments without actual bank details being exposed. The actual bank account number is held safe in a secure token vault.

Simply speaking, tokenization replaces sensitive cardholder detail with a stand-in token. This helps secure the customer’s bank account details in credit card and online transactions.

Why is RBI pushing tokenization?

Recently, there have been incidents where card data stored by some merchants have been compromised or leaked. Any leakage of Card-on-File (CoF) data can have serious repercussions because many jurisdictions do not require an Additional Factor of Authentication (AFA) for card transactions.

According to the RBI, stolen card data can also be used to perpetrate frauds within India through social engineering techniques.