“On a review of the issues involved and after detailed discussions with all stakeholders, as also keeping in view that sufficient time has elapsed since the requirements were specified, there shall be no change in the effective date of implementation of the requirements – all entities, except card issuers and card networks, shall purge the CoF data before October 1, 2022,” the regulator said in a notification on its website.
It also said that penal action, including imposition of business restrictions, will be considered in case of any non-compliance.
The regulator also put in place specific interim measures to provide ease of guest checkout transactions – where cardholders decide to enter the card details manually at the time of undertaking the transaction.
“Other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in settlement of such transactions, can save the CoF data for a maximum period of T+4 days (“T” being the transaction date) or till the settlement date, whichever is earlier. This data shall be used only for settlement of such transactions, and must be purged thereafter,” it said.
For handling other post-transaction activities, acquiring banks can continue to store CoF data until January 31, 2023.
As per the Reserve Bank of India’s latest order, all merchants must delete customer debit and credit card data on or before October 1 and replace card payments with unique tokens for all online, point-of-sale and in-app transactions.
Tokenisation is a process by which card details are replaced by a unique code or token, allowing online purchases to go through without exposing sensitive card details.