Bankpulse
HomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsMethodologyGlossaryCircularsAskChangelogReviewsAbout
HomeCirculars › RBI/2020-21/117

RBI Extends Compliance Deadline for Non-Bank PAs on Card Data Storage to Dec 2021

Digital Payments / UPI
Live · in forceNo withdrawal recorded as of 19 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
⏱ ~2 min read
Quick answerRBI has extended the deadline for non-bank Payment Aggregators to implement tokenisation and stop storing customer card credentials by six months, to December 31, 2021. This one-time relief aims to give industry time to deploy workable solutions like tokenisation.

What changed

The RBI circular dated March 17, 2020, mandated that neither Payment Aggregators nor their merchants can store customer card credentials. Based on industry requests, RBI has now extended the compliance timeline for non-bank PAs by six months, to December 31, 2021, as a one-time measure. All other provisions of the earlier circular remain unchanged.

What it means for you

Non-bank Payment Aggregators get additional time to implement tokenisation and other secure solutions, reducing immediate compliance pressure. Banks and other payment system participants must continue to ensure that no card credentials are stored beyond the new deadline. This extension provides a window for smoother transition but does not dilute the ultimate requirement to stop storing sensitive card data.

What you must do

Who it affects

Non-bank Payment Aggregators, Payment Gateways, E-commerce marketplaces involved in payment aggregation, Merchants onboarded by Payment Aggregators

Does this extension apply to bank Payment Aggregators as well?

No, the extension is specifically for non-bank Payment Aggregators. Bank PAs were already required to comply by September 30, 2020, as per earlier circulars.

What happens if a non-bank PA fails to comply by December 31, 2021?

The circular does not specify penalties, but non-compliance would mean violating RBI's directive under the Payment and Settlement Systems Act, 2007, which could lead to regulatory action including possible suspension or revocation of authorisation.

Are e-commerce marketplaces that use a separate PA affected by this rule?

Yes, but only if they are directly undertaking payment aggregation. If they use a separate PA, they are treated as merchants and must ensure their PA complies with the storage ban.

Key dataSee the live numbers behind this topic: RBI Penalty Tracker, Credit & Deposit Growth — updated from official RBI data.
Key termsPlain-English definitions of terms in this circular — see the full Indian banking glossary. UPI · KYC / AML · Deposit insurance (DICGC) · NEFT / RTGS
Track this rule
🗂 Master Direction family: Payment & Settlement Systems⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
Official source: RBI/2020-21/117 on rbi.org.in ↗
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · published · 19 Jun 2026, 12:30 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12050&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.