MUMBAI: E-commerce companies and other establishments that accept online payments will now have six months to delete credit card data from their systems. The Reserve Bank of India on Thursday said it is extending its deadline by six months for non-bank payment aggregators and merchants to purge already stored card data.
The central bank allowed the payments industry to develop new methods for storing recurring payments and equated monthly installment (EMI) payments without cards. On March 31, 2021, RBI had asked all non-bank payment system participants and merchants to purge card data from their systems by December 31, 2021.
Online billers, including e-commerce companies, ticketing services and other providers, are storing credit card data in their customers’ accounts so that customers do not have to key in the card data every time they pay. RBI does not want entities that do not regulate to store card information as some merchants store millions of card information and breaches may result in card information being exposed.
According to central banking sources, the number of malware attacks on merchant establishments is on the rise.
To ensure that the card data is not put at risk as well as ensure that the customer is not inconvenienced, RBI has issued token guidelines. Here the customer authorizes the bank or payment network (Visa, MasterCard, RuPay) to issue a token to the merchant, which matches their account. The merchant then uses the token in place of the card to accept payments and process refunds. If the merchant’s server is breached and the token data is stolen, it cannot be used by hackers.
“We would like to thank RBI for giving the industry so much needed time to step up its efforts and work towards achieving the real intent of this guideline. PCI Will work with industry and RBI to handle any use cases such as chargeback handling, dispute resolution, refunds including reward/loyalty programs and post-transaction activity that currently involves storage of card data by entities other than cards require issuer and card network,” said Vishwas Patel, Director Infibeam Avenues and Chairman of Payments Council of India.
“As an industry, we are strongly committed to achieving RBI’s vision of enhanced customer security of customer card credentials and everyone has started that journey,” said Srinivasu MN, Founder, billdesk and co-chair bbps Committee at PCI said that the industry will utilize the next six months to implement similar solutions suitable for seamless migration for cardholders as well as to ensure adequate security for storage.
The central bank allowed the payments industry to develop new methods for storing recurring payments and equated monthly installment (EMI) payments without cards. On March 31, 2021, RBI had asked all non-bank payment system participants and merchants to purge card data from their systems by December 31, 2021.
Online billers, including e-commerce companies, ticketing services and other providers, are storing credit card data in their customers’ accounts so that customers do not have to key in the card data every time they pay. RBI does not want entities that do not regulate to store card information as some merchants store millions of card information and breaches may result in card information being exposed.
According to central banking sources, the number of malware attacks on merchant establishments is on the rise.
To ensure that the card data is not put at risk as well as ensure that the customer is not inconvenienced, RBI has issued token guidelines. Here the customer authorizes the bank or payment network (Visa, MasterCard, RuPay) to issue a token to the merchant, which matches their account. The merchant then uses the token in place of the card to accept payments and process refunds. If the merchant’s server is breached and the token data is stolen, it cannot be used by hackers.
“We would like to thank RBI for giving the industry so much needed time to step up its efforts and work towards achieving the real intent of this guideline. PCI Will work with industry and RBI to handle any use cases such as chargeback handling, dispute resolution, refunds including reward/loyalty programs and post-transaction activity that currently involves storage of card data by entities other than cards require issuer and card network,” said Vishwas Patel, Director Infibeam Avenues and Chairman of Payments Council of India.
“As an industry, we are strongly committed to achieving RBI’s vision of enhanced customer security of customer card credentials and everyone has started that journey,” said Srinivasu MN, Founder, billdesk and co-chair bbps Committee at PCI said that the industry will utilize the next six months to implement similar solutions suitable for seamless migration for cardholders as well as to ensure adequate security for storage.
,