Bankpulse
HomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsMethodologyGlossaryCircularsAskChangelogReviewsAbout
HomeCirculars › RBI/2021-2022/142

RBI Extends Timeline for Storing Card-on-File Data to June 2022

Digital Payments / UPI
Live · in forceNo withdrawal recorded as of 19 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
⏱ ~2 min read
Quick answerRBI has extended the timeline for storing actual card data (CoF) by non-bank payment aggregators and merchants to June 30, 2022. After this date, all such stored data must be purged. Industry can use tokenisation or alternate mechanisms for use cases like recurring payments and chargebacks.

What changed

The earlier timeline for storing CoF data was extended by six months from December 31, 2021 to June 30, 2022. Post this date, such data shall be purged. Additionally, RBI now allows industry stakeholders to devise alternate mechanisms beyond tokenisation for handling use cases that require CoF data, such as recurring e-mandates, EMI options, and dispute resolution.

What it means for you

Banks and payment aggregators get a six-month breather to comply with the CoF storage ban, but must ensure all stored card data is purged by June 30, 2022. The flexibility to create alternate mechanisms means lenders can explore solutions beyond tokenisation for recurring payments and chargebacks, reducing operational disruption. Non-compliance post-deadline could attract regulatory action under the Payment and Settlement Systems Act.

What you must do

Who it affects

Non-bank payment aggregators, Merchants on-boarded by payment aggregators, Payment system providers and participants (excluding card issuers and card networks)

What is the new deadline for purging stored card data?

The deadline has been extended from December 31, 2021 to June 30, 2022. After this date, all actual card data stored by non-bank payment aggregators and merchants must be purged.

Can we use alternatives to tokenisation for recurring payments?

Yes, RBI permits industry stakeholders to devise alternate mechanisms for use cases like recurring e-mandates, EMI options, chargeback handling, and loyalty programs, in addition to tokenisation.

Does this circular apply to card issuers and card networks?

No, the restriction on storing CoF data applies to entities other than card issuers and card networks. Issuers and networks are exempt from this purging requirement.

Key dataSee the live numbers behind this topic: RBI Penalty Tracker, Credit & Deposit Growth — updated from official RBI data.
Key termsPlain-English definitions of terms in this circular — see the full Indian banking glossary. UPI · KYC / AML · Deposit insurance (DICGC) · NEFT / RTGS
Track this rule
🗂 Master Direction family: Payment & Settlement Systems⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
Official source: RBI/2021-2022/142 on rbi.org.in ↗
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · published · 19 Jun 2026, 10:46 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12211&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.