No Entity Can Store Card Data: RBI | 08 Sep 2021

Recently, the Reserve Bank of India (RBI) has given new directions in relation to storage of bank\card data by entities or other merchants.

It has directed that no entity or merchant, other than card issuers and card networks, should store card details. It will reduce the frauds that occur by sharing card details.

About:
- With effect from January 2022, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data. Any such data stored previously will be removed.
- It has also extended tokenization of Card-on-File (CoF) by card issuers.
- It has permitted card issuers to offer card tokenization services as Token Service Providers (TSPs).
  - The facility of tokenisation will be offered by the TSPs only for the cards issued by or affiliated to them.
Tokenization:
- Tokenization refers to replacement of actual card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device.
- The token is used to perform card transactions in contactless mode at point-of-sale terminals, quick response and code payments.
Card-on-File :
- A CoF transaction is a transaction where a cardholder has authorised a merchant to store the cardholder’s Mastercard or Visa payment details.
- The cardholder then authorises that same merchant to bill the cardholder’s stored Mastercard or Visa account.
  - E-commerce companies and airlines and supermarket chains normally store card details in their system