The Reserve Bank of India vide circular dated December 23, 2021 has amended the Guidelines on Regulation of Payment Aggregators and Payment Gateways and guidelines for Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services. The authorized non-bank payment aggregators and merchants on-boarded by them are prohibited from storing card data (CoF) from June 30, 2021.
In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks.