In terms of the Reserve Bank of India (RBI) circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated 17 March 2020 on “Guidelines on Regulation of Payment Aggregators and Payment Gateways”, the authorised non-bank payment aggregators and merchants on-boarded by them were prohibited from storing card data (CoF) from 30 June 2021. At the request of industry stakeholders, this timeline was extended to 31 December 2021, vide circular CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021. Further, regulations on CoF Tokenisation (CoFT) were issued vide circular CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated 7 September 2021, on “Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services”.
In light of various representations received in this regard, we advise as under:
the timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged; and
in addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/loyalty programme, etc.) that currently involves/requires the storage of CoF data by entities other than card issuers and card networks.
This directive was issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).