The RBI has decided to extend the implementation of card-on-file (CoF) tokenisation norms by six months to June 30, 2022.
Payment gateways, merchants and e-commerce companies will have to follow RBI directions and implement the tokenisation norms.
The RBI has directed that all merchants and e-commerce firms should delete sensitive data of the customer relating to their card details.
Currently, commerce companies and airlines and supermarket chains store card details of their customers. They will have to delete such data.
Ahead of the supposed changes, banks and payment merchants have been informing their customers through SMS and emails.
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”.
The token will be unique for a combination of card, token requestor and device. They will vary from transaction to transaction.
Online players will have to delete any credit and debit card information stored on their platforms and replace them with token.
Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number and also their CVV number.
Reasons for postponement
Merchants say that their backend systems are not yet ready to adopt the new regime and have sought further time.
Some banks have also asked RBI for extending the deadline as they do not possess the technology to implement the rules.
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. This reduces chances of fraud.
Entering card number, expiry date and CVV will be cumbersome exercise and may impact transaction value.
Online merchants may lose up to 20-40% of their revenues due to tokenisation norms if hurriedly implemented.