The PCI welcomes RBI’s card-on-file tokenisation initiative

By Puja Sharma

Payments Council of India (PCI), the representative body of payment system participants in India welcomes the RBI notification on July 28, 2022, which provides further clarity on the implementation roadmap for the industry to adopt the tokenisation framework. The circular states that with effect from October 1, 2022, the industry must be ready to be fully compliant with the tokenisation guidelines.

The RBI has already extended the deadline for full compliance twice to allow the industry the time required to deploy the solution. Further, for certain use cases such as guest checkout (where the cardholder does not wish to store data), the industry has the option to deploy the solution in a phased manner, achieving full compliance by  January 31, 2023.

The card on file tokenisation framework is a significantly large effort by the regulator and the industry to support enhanced security while using cards for online payments. It essentially replaces the card number and other sensitive details with a token, that is used and stored by merchants (e-commerce sites), payment gateways/ aggregators (who process online payments), and acquiring banks (bank of the merchant accepting the card).

Only the issuing bank (the bank that gives cards to the customer) and the card networks (such as Visa, MasterCard, NPCI, and others) are allowed to store the customers’ card data for the generation of tokens. Along with the above, with the upcoming licensing of the payment aggregator business, PCI will continue to engage with RBI to allow licensed payment aggregators to store card data.

Welcoming the RBI notification, Mr. Vishwas Patel, PCI Chairman, and Director, Infibeam Avenues, said “Through PCI, we have been in constant discussions with RBI and the industry and we are very grateful to central bank for the immense support provided over the last few months. The Regulator has not only provided clarity across multiple technical aspects but has also supported much required time for the industry to build and test the new solutions. This is a testament to the regulator’s objective and goal of making card-based online payments safer for all customers across India.”

Payment aggregators and gateways play an integral role in processing online payments across multiple payment methods, such as cards, net banking, UPI, and other forms of payment. Over the past few years, with the boost of digital transactions in India, it has witnessed significant growth in the number of entities operating in this space. To maintain the safety and security of online payments and protect customers, the Reserve Bank of India introduced guidelines on the regulation of payment aggregators and gateways on  March 17, 2020. Entities operating under this space were required to apply to RBI for licenses to operate and had to comply with various eligibility and net worth criteria to maintain the security of the online payment ecosystem.

Patel further continued “The introduction of regulations in a growing space of online transactions was a welcome move by the central bank to maintain the integrity of India’s online payments ecosystem. We are thankful for RBI’s recent communication which factors in challenges entities had in submitting earlier applications and providing another window to submit applications until  September 30, this year.”