RBI Extends Card Tokenisation Deadline To June 30, 2022

The Reserve Bank of India (RBI) on Thursday extended the deadline for the 'tokenisation' of credit and debit card information stored with third-party merchants by six months to June 30, 2022. The notification issued by the RBI said that it took the decision, "in light of various representations received in this regard."

Initially, the set deadline was on January 1 next year.

While news outlets had reported that the RBI was considering an extension towards this deadline, some estimates outlined a severe disruption in e-commerce, and said that nearly 5 million (50 lakh) customers could be impacted. There was be a threat that such customers would move to unified payments interface (UPI) or would switch back to a more layman cash-on-deliveryFurther, the Confederation of Indian Industry said in statement dated December 22 that online merchants could lose up to 30% - 40% by the tokenisation move, which could disproportionately impact smaller online merchants. It went so far to say that "this would sound the death knell, causing them to shut shop."

The notification also added that alongside credit and debit card data tokenisation, various stakeholders in the industry also had the liberty to handle any other 'card-on-file' data (that's data stored with online merchants) by any entity or merchant other than a card network (like Visa, Mastercard or Rupay) or a card issuer (a bank). Such data includes recurring mandates and EMI options, or any post-transaction data like reward and loyalty points or cashback handling.

What is tokenisation?

As per the tokenisation mandate, card details cannot be stored on a third party merchant portal (like Flipkart, Amazon, Myntra, Swiggy, Zomato etc.), but only by the issuing authority and/or the card network. Once implemented, all existing card data on these merchant sites either need to be tokenised or deleted.

Prominent e-commerce websites and online stores that keep credit card information with them have already begun nudging their customers to tokenise their card details with them.

A 'token' of random digits is unique for a combination of the card details, the token requestor (which is the third-party app or device that processes payments) and the merchant, according to the RBI. Therefore, a single card may have multiple tokens associated with it across multiple merchants.

It also must be noted that tokenisation is not automatic and needs the express consent of the concerned user. Should a consumer not choose to tokenise their details with a merchant, they will have to manually enter their card details for every card transaction.

Also Read: RBI's Card Tokenisation Mandate: 5 Things You Need To Know