The central bank has clarified to the industry that none of the intermediaries, even licensed payment gateways and acquiring banks, would be allowed to store card data and offer tokenised files to merchants under the upcoming
payment aggregator and payment gateway regulatory regime kicking in from 2022, two sources aware of the matter told ET.
Under the new norms, every online merchant processing transactions for customers will only have access to a ‘tokenised’ key linked with the consumer’s cards instead of the entire card file. The meeting saw participation of members from industry pockets such as payments, banking and web-commerce, the sources added.
“The central bank has reiterated its stance that it only sees tokenisation as an alternative solution for merchants aiming to offer a one-click checkout facility to customers,” said a source present at the meeting.
“It has also been made clear that only card networks and issuing banks will be allowed to tokenise files corresponding to customer card details. Payment aggregators and merchants will have to devise systems to avail this tokenised link from their respective banks or networks,” the person added.
Tokenisation is an encryption technology that enables card operators to mask actual details of a debit or credit card by substituting with a secure, unique digital token linked to a customer device.
Only this proxy token can be stored by merchants and aggregators to process payments to offer one-click checkouts. Those merchants without access to tokenised links will have to ask customers to fill in the entire details of their card including the 16-digit number every time they make a payment.
The central bank’s insistence on strict card storage norms is on the back of several
recent high-profile cyber attacks such as those on JusPay, Mobikwik, Big Basket, Air India and Upstox.
RBI is said to be firm on its stand on customer security where it doesn’t want entities that are not under its direct supervision to be storing card details of customers on servers.
While payment aggregators will be allowed to store card details for processing of redressals and chargebacks, the new rules will stipulate a fixed time under which this data will have to be deleted.
ET reported last week that industry forums, including the Payments Council of India (PCI), have
suggested alternative solutions beyond encryption through tokenisation – such as secure reference on files – to minimise customer inconvenience to the central bank.
RBI didn’t respond to ET’s mailed queries.