RBI not willing to Drop Card Storage Clause

RBI not willing to Drop Card Storage Clause

RBI clause 1
  • RBI has come out with new rules on usage of Cards. Under the new guidelines, several card holders both debit and credit making payments online in 2022 may have to enter their 16-digit card numbers every time while making a payment online as opposed to just authenticating these transactions through the CVV (Card Verification Value) and the one time password (OTP) which is being followed at present.
  • These rules are framed keeping in mind the security of the consumers as paramount since it is felt that the current system is prone to breaches and cyber risks as customer card details are being stored in the servers of merchants not directly under the supervisory purview of the central bank.
  • Further, the new Payment Aggregator/Payment Gateways (PA/PG) rules will make it mandatory that every online merchant processing transaction for customer to access only to a “tokenized” key linked with the consumer’s cards instead of the entire card file.
  • However, India payment Gateways has requested the Regulator RBI to exempt on select new regulatory norms which aim to prohibit merchants from storing card details and payment operators from offering one click checkout service to consumers from January 2022.

Alternative solutions by the Industry Group:

  1. PCI (Payments Council of India) an Industry group has suggested alternative solutions beyond encryption through tokenization like – secure reference on file- which minimizes customer inconvenience.  They argue that as licensed aggregators are storing card data on isolated servers for chargeback references, these may be used for allowing one-click checkouts subject to consumer consent.
  2. Also there is a demand from the Industry group for extension of the deadline for compliance in a letter to the RBI. This is to enable them to inform the consumers about the change and sufficient time to be allowed to ensure the entire card ecosystem is prepared to handle card transactions under the new solutions without adverse unintended consequences.

Though this rule was to be effective from July 2021, RBI had extended this by six months after the industry lobbied for it.  The gateways say further that customers will experience friction in subscription based services that require storage of card data to bill them on a recurring basis.  Also they contend that without customer data, merchants will have to ask for the card information in very billing cycle which will result in business disruption.

No Comments

Give a comment