Chain of events and 2021 Circular
Adapting to new data protection requirements
Comment
The Reserve Bank of India recently introduced requirements for the deletion of card data by entities in the transaction chain and a transition to tokenisation of card details with effect from 1 January 2022. An outcry from the payments industry has now led to this deadline being extended by six months; but will a deadline extension to June 2022 provide enough motivation for the industry to comply?
Chain of events and 2021 Circular
This chain of events started with the issuance of the 2019 Circular on 8 January 2019, when the RBI permitted card tokenisation by card networks (eg, Visa and Mastercard) for any token requestor. "Tokenisation" involves replacing actual card details with a token (ie, a number that is the combination of elements involved in tokenisation (eg, device ID, token requestor ID and merchant). This facility was to be made available for mobile phone and tablets of interested card holders. Subsequently, in August 2021, the facility was also extended to laptops, computers and wearable devices (eg, smart watches and bands).
The RBI's intention here was to protect card data; this can be traced back to the Guidelines on Regulation of Payment Aggregators (PAs) and Payment Gateways dated 17 March 2020. An increasing number of transaction frauds and data breaches were linked to data stored with merchants and PAs. These guidelines required PAs and merchants to cease storage of end users' card data. This move also lessened the convenience of card transactions, as each user would have to add their card credentials prior to each transaction. The RBI remained firm and issued a clarification on 17 September 2020,(1) in which it reiterated that merchants and PAs cannot store card data, irrespective of their compliance with the Payment Card Industry Data Security Standard. On 31 March 2021, the RBI extended the timeline by six months (ie, until 31 December 2021) for non-bank PAs to achieve compliance with the card storage restrictions and implement workable solutions, such as tokenisation.
Subsequently, on 7 September 2021, the RBI issued the circular "Card on File – Tokenisation Services" (2021 Circular). Under the 2021 Circular:
- no entity in the card transaction or payment chain (apart from card network and issuers) can store actual card data henceforth. Any card data currently stored is to be deleted by 1 January 2022 (now updated to 30 June 2022 – further information below); and
- only the last four digits of the card number and the card issuer's name may be saved for the limited purpose of transaction tracking or reconciliation purposes.
Adapting to new data protection requirements
Tokenisation is a global best practice aimed at preventing the visibility of card details to any entity apart from the card holder and the card network or issuer, and the 2019 Circular was welcomed by some industry stakeholders as a measure in the interest of security. However, its sequel, the 2021 Circular, has not been as graciously received. Although the 2021 Circular allows card issuers to undertake tokenisation (in addition to card networks), industry stakeholders have been troubled by its (comparatively) vague pronouncements.
The anxiety felt by some merchants and stakeholders was, in part, due to the short implementation period from September to December 2021 and a lack of clarity on some operational issues. The foremost concern was industry unreadiness for implementing tokenisation-related infrastructures. A single entity's readiness matters little when most stakeholders in the transaction chain (eg, issuers and acquirer banks) need to introduce technological infrastructure to meet the requirements of proposed tokenisation. For instance:
- merchants have to develop options to allow end users to deregister the tokens;
- card issuers have to develop facilities that enable end users to view the list of merchants that they have registered a token with; and
- token service providers have to install mechanisms to ensure the transaction request originated from a merchant and a token requestor with whom such token is associated.(2)
In many instances, this may require a complete redesign of current technology and product offering in the payment industry.
In response to concerns raised by industry bodies and various other players, the RBI announced that the deadline for purging card-on-file data has been extended to 30 June 2022.
While the extension notification provides stakeholders some respite, no other changes or clarifications have been provided regarding the applicability of the 2021 Circular or its data storage requirements. The same obligations apply, albeit with six more months to figure them out.
The issues faced by the industry due to payment data localisation and the e-mandate system for recurring transactions is fresh in memory; it remains to be seen whether stakeholders can now ride out the impending wave of tokenisation, even if they now have some more time to do so.
For further information on this topic please contact Kalindhi Bhatia at BTG Legal by telephone (+91 22 6177 2900) or email ([email protected]). The BTG Legal website can be accessed at www.btg-legal.com.
Endnotes
(1) See Annex.
(2) See Annex, condition No. 3 and 6.