RBI rejects merchants' demands to allow storage of customer credit card data

The Reserve Bank of India (RBI) has rejected merchants' demand to allow storage of customers' credit card data under the payment aggregators and payment gateway rules to be enforced from July 2021.

Merchants like Amazon, Flipkart, Microsoft, Netflix, and Zomato sought a meeting with the central bank claiming "inadequate representation," but were denied.

An official told the paper that the RBI has not allowed storage of credit card data as it believes this would "cause cybersecurity risks to customers" and merchants "do not have any locus standi as these norms pertain to payment aggregators and gateways."

Notably, these level-1 merchants collectively transact with 250 million customers. They wrote to the RBI on February 1, that not allowing storage of the data "disrupts a system that has been functioning seamlessly." The letter sought to represent merchants, banks, payment aggregators, and network operators such as Mastercard and Visa.

The RBI issued guidelines for payment gateways and aggregators on March 17, 2020. These also stop payment aggregators from storing customers' credit card credentials in their database or servers accessed by merchants.

Industry experts however feel this will "inconvenience customers, disrupt the digital payments ecosystem and lead to fragility issues." They also noted that this will likely affect subscription-based services that require storage of card data to bill customers and questioned the timing as India has not yet moved firmly into being a cash-less transaction economy.