Payment aggregators, gateways, merchants not allowed to store customer data from July 1

Starting July 1, payment aggregators and gateways and merchants onboarded by them will not be allowed to store credit and debit card data of customers on their platforms, as directed by the Reserve Bank of India. With a little over a month left, merchants are worried that an alternative system may not be ready in time.

Payment aggregators, payment gateways and merchants can store card credentials of customers in their databases only until June 30, a deadline that has already been extended twice, most recently by six months on December 23.

In the absence of an alternative mechanism, customers using their credit or debit cards from July 1 will have to enter the details afresh for each transaction, including the 16-digit card number, expiry date and card verification value (CVV).

Payment companies and card networks Visa, Mastercard and RuPay are working to implement the alternative – Card on File Tokenisation (CoFT) – which replaces card details with a 'token' that will be unique for every debit or credit card and merchant platform where it is used.

However, the Merchant Payments Alliance of India (MPAI), whose members include digital platforms such as Netflix, Disney+ Hotstar, Spotify, Zoom, Microsoft, and Policybazaar, says the ecosystem is not ready to implement CoFT for all use-cases.