Exclusive: RBI against deletion of the card data storage clause in new rules


Mumbai: The Reserve Bank of India (RBI) is reportedly opposed to complying with a demand by Indian payment gateways for exemptions from selected new regulatory norms that should prohibit merchants from storing card data and payment providers from offering consumers a one-click checkout service from January In 2022, three sources known of the matter notified ET.

Under the new standards, by 2022, millions of cardholders – both debit and credit cards – who make online payments may have to enter their 16-digit card numbers every time they make an online payment, rather than just authenticating those transactions via CVV (card verification) Value) and the one-time password (OTP) as is currently common.

The new rules for Payment Aggregator / Payment Gateways (PA / PG) require that customers only have access to a “tokenized” key associated with the consumer’s cards rather than the entire card file for each online merchant processing transaction .

While authorized card operators are allowed to save card data for the smooth processing of recourse and chargebacks, the new rules prohibit the use of this data even by authorized operators for automatic checkouts.

“The RBI’s new rules have been designed to put consumer safety first,” said an industry official who was aware of the matter. “The current system, while seamless, is vulnerable to security breaches and cyber risk as loyalty card data is stored on merchants’ servers that are not directly under the supervision of the central bank.”

The Payments Council of India (PCI), an industry group, has proposed alternative solutions that go beyond encryption through tokenization – such as: They argue that since licensed aggregators store card data on isolated servers for chargeback references, they can be used to enable one-click checkouts, subject to consumer consent.


Over a year after its limited launch, the Bangalore e-tail giant has largely operated under the radar in 70-odd PIN codes.

Read now

At a recent meeting between the regulator and gateway operators to take stock of progress in implementing the guidelines, industry groups called for the deadline to be extended again and for the storage condition to be lifted. But the regulatory authority is said to have rejected the application. PCI has also requested a further extension of the deadline for compliance with the regulations in a letter to RBI.

“In order for regulated companies to develop and implement solutions that meet the criteria and to ensure that consumers are informed, we ask for sufficient time to ensure that the entire card ecosystem is ready to accept card transactions under new solutions with no adverse unintended consequences to be dealt with “, says the letter checked by ET.

The rules should initially come into force from July 2021. The RBI extended this by six months after the industry had advocated it.

The RBI did not respond to inquiries.

The gateways say customers will experience frictions with subscription-based services that require card data to be stored in order to be billed regularly. Without the customer data, merchants would have to ask for the card information every billing cycle, which would cause business disruption, they say.

“Although this guideline of the RBI is correct, it leads to a blanket ban on service providers from storing the financial information of their customers, even if these merchants have the necessary security standards or intend to have one for the same, which is the smooth flow of online payments said Rameesh Kailasam, CEO and President of IndiaTech, an industry group of startups.

At the beginning of the year, IndiaTech had issued declarations to both the RBI and the Treasury Department to enable merchants with appropriate security regulations to process customer data without encryption in order to prevent an interruption to the smooth checkout. Kailasam said IndiaTech is preparing another representation to repeat this point with the central bank before the deadline.

“Here it is important to understand that from a practical point of view, device tokenization may not work in all use cases, e.g. B. Subscription and device-independent payments, ”he said.

ET reported Thursday that at least 30 companies, including Tata Group, Amazon, Zomato, and PhonePe, have applied for PA / PG approval under the new RBI rule, which was officially launched in March 2020. The widespread interest among Internet companies to apply for an aggregator license can also be explained by their intention to switch from merchants to payment processors in order to ensure less friction for customers when processing payments.

“The central bank is determined not to allow any further expansion as of now as the ecosystem has seen several high-profile violations, mainly at the end of merchants and unauthorized payment aggregators,” said the managing director of a payment gateway in attendance at the meeting with RBI representatives earlier this year Month. This year there have been high profile cyberattacks like those on JusPay, Mobikwik, Air India and Upstox.


Please enter your comment!
Please enter your name here