The Reserve Bank of India (RBI) on Thursday said with effect from October 1, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, can store CoF (card on file) data, and any such data stored previously must be purged.
The RBI made clear that as sufficient time had elapsed since the requirements were specified, there would be no change in the effective date of implementation of the requirements.
For ease of transition to an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”), the RBI, as an interim measure, has permitted entities other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in settlement of such transactions, to save the CoF data for a maximum period of transaction date plus 4 days or till the settlement date, whichever is earlier.
“This data shall be used only for settlement of such transactions, and must be purged thereafter,” the RBI said in a circular.
For handling other post-transaction activities, acquiring banks can continue to store CoF data until January 31, 2023, it added.
“Appropriate penal action, including imposition of business restrictions, shall be considered by the RBI in case of any non-compliance,” the central bank added.