09 Jan 2023

Restriction-on-Storage-of-Actual-Card-Data-Card-on-FileCoF

Restriction-on-Storage-of-Actual-Card-Data-Card-on-FileCoF

RBI/2022-23/77
CO.DPSS.POLC.No.S-567/02-14-003/2022-23

June 24, 2022

All Payment System Providers and Payment System Participants

Madam / Dear Sir,

Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)]

Reference is invited to Reserve Bank of India (RBI) circulars DPSS.CO.PD.No.1810/02.14.008/ 2019-20 dated March 17, 2020 and CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021 on “Guidelines on Regulation of Payment Aggregators and Payment Gateways”, and CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021 on “Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services”.

2. In terms of these circulars, with effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the CoF data, and any such data stored previously shall be purged. Subsequently, to allow more time to the industry stakeholders for devising alternate mechanism(s) to handle any use case or post-transaction activity, this timeline was extended to June 30, 2022, vide circular CO.DPSS.POLC.No.S-1211/02-14-003/2021-22 dated December 23, 2021 on “Restriction on storage of actual card data [i.e. Card-on-File (CoF)]”.

3. On a review of the issues involved and after detailed discussions with all stakeholders, it is observed that considerable progress has been made in terms of token creation. Transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants. Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”) has not been implemented by the industry stakeholders, so far.

4. Given the above, it has been decided to extend the timeline for storing of CoF data by three months, i.e., till September 30, 2022, after which such data shall be purged.

5. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

Yours faithfully,

(P. Vasudevan)
Chief General Manager