RBI extends tokenisation deadline to June 2022

The Reserve Bank of India (RBI) on Thursday announced an extension to the initial deadline for tokenisation of card data. In a circular issued earlier today, India’s central bank announced that the deadline for non-banking payment aggregators and merchants to delete all stored card data has been extended by six months -- till June 30, 2022.

The initial deadline for when all card data was scheduled to be deleted from all businesses who were storing card information on their servers was June 2021. The same was subsequently extended to December 31.

Tokenisation is a process that replaces explicit card data with anonymised tokens, which will be unique between every user and platforms.

Also read: RBI working on introducing central bank digital currency: finance ministry

The move comes after numerous companies and industry bodies appealed to RBI to extend the card-on-file tokenisation deadline. A number of industry bodies, including the Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF), had previously voiced their concerns around the purging of card data -- and written to the RBI expressing the challenges that the central bank’s tokenisation mandate brought to the table.

Numerous companies had also expressed myriad technical challenges that the tokenisation had brought to the table. Prasanna Lohar, VP of technology at DCB Bank, recently told TechCircle in an interview, “The certification process with card networks would take its own time. The technology is foolproof, but the challenge is that all of a sudden everybody wants to do everything at the same time.”

Reacting to the announcement, Ashish Aggarwal, VP and policy head at Nasscom, said, “This extension is very valuable and will mitigate business and payments risks for customers. We really hope the banks and other ecosystem players look at this extension with responsibility and comply within the timeline now.”

The RBI circular from earlier today also suggests that merchants and payment aggregators may “devise alternate mechanisms” to handle card payments, in the meantime. The statement said, “Industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc) or post-transaction activity (including chargeback handling, dispute resolution, reward/loyalty programme, etc) that currently involves/requires storage of CoF data by entities other than card issuers and card networks.”

The latter may give companies the opportunity to convey alternate recurring payment methods to users, prior to eventually complying with the tokenisation mandate.