- With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
- For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.
From RBI: On a review of the tokenisation framework and to enable cardholders to benefit from the security of tokenised card transactions as also the convenience of CoF, it has been decided to effect the following enhancements –
-
- Extend the device-based tokenisation framework referred to at paragraph 1 above to CoF Tokenisation (CoFT) as well.
- Permit card issuers to offer card tokenisation services as Token Service Providers (TSPs).
- The facility of tokenisation shall be offered by the TSPs only for the cards issued by / affiliated to them.
- The ability to tokenise and de-tokenise card data shall be with the same TSP.
