RBI Temporarily Allows Merchants and Payment Aggregators to Store Customer Card Credentials
This is only for settlement of transactions where cardholders decide to enter card details manually
The Reserve Bank of India) has temporarily allowed merchants or their Payment Aggregators (APs) involved in the settlement of transactions where cardholders decide to manually enter card details to record Card-on-File (CoF) data ) for a maximum period of “Transaction Date + 4 days” or until the settlement date, whichever comes first.
This data will only be used for settlement of these transactions and will need to be purged thereafter, RBI said in a notification.
Currently, the card issuer and the card network benefit from the aforementioned exemption.
To manage other post-transaction activities, acquiring banks may continue to store CoF (customer card identifiers) data until January 31, 2023, RBI said.
The central bank stressed that there will be no change in the effective date of the implementation of the requirements relating to the “restriction of the storage of actual card data (CoF) – all entities, except except for card issuers and card networks, must purge CoF data by October. 1, 2022.
As of October 1, 2022, no entity in the card transaction/payment chain, other than card issuers and/or card networks, will store CoF data, and all such previously stored data will be purged, a- he added.
RBI has warned all payment system providers and payment system participants that appropriate criminal action, including the imposition of trade restrictions, will be considered in the event of non-compliance.
July 28, 2022