Bankpulse
HomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsMethodologyGlossaryCircularsAskChangelogReviewsAbout
HomeCirculars › RBI/2022-2023/95

RBI Finalises Card-on-File Storage Ban: Oct 1 Deadline Stands

Digital Payments / UPI
Live · in forceNo withdrawal recorded as of 19 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
⏱ ~2 min read
Quick answerRBI confirms no extension to the October 1, 2022 ban on storing actual card data (CoF) by non-issuers/networks. Merchants and PAs get a T+4 day window for guest checkout settlement data only; acquirers can store for post-transaction activities until January 31, 2023.

What changed

RBI has firmly rejected any change to the October 1, 2022 deadline for purging Card-on-File (CoF) data by all entities except card issuers and networks. As an interim relief, merchants and payment aggregators can retain CoF data for up to T+4 days (or until settlement, whichever is earlier) solely for settling guest checkout transactions. Acquiring banks are allowed to continue storing CoF data for post-transaction activities until January 31, 2023.

What it means for you

Banks and payment aggregators must urgently complete the purge of stored card data by October 1, 2022, or face penal action including business restrictions. The narrow T+4 day window for guest checkout data is a temporary concession, not a relaxation of the overall ban. Acquiring banks have a slightly longer runway until January 31, 2023, to adjust their post-transaction processes, but must plan for full compliance thereafter.

What you must do

Who it affects

All payment system providers and participants, Merchants and payment aggregators (PAs), Acquiring banks, Card issuers and card networks (exempted from purge)

What is the exact deadline for purging CoF data?

The deadline remains October 1, 2022. No extension has been granted. All entities except card issuers and networks must purge stored card data by this date.

Can we store CoF data for guest checkout transactions after October 1?

Yes, but only as an interim measure. Merchants and PAs can store CoF data for a maximum of T+4 days (T being transaction date) or until settlement, whichever is earlier, and only for settlement purposes. The data must be purged immediately after.

What happens if we fail to comply?

RBI has warned of appropriate penal action, including imposition of business restrictions, for any non-compliance. This is a serious regulatory requirement.

Key dataSee the live numbers behind this topic: RBI Penalty Tracker, Credit & Deposit Growth — updated from official RBI data.
Key termsPlain-English definitions of terms in this circular — see the full Indian banking glossary. UPI · KYC / AML · Deposit insurance (DICGC) · NEFT / RTGS
Track this rule
🗂 Master Direction family: Payment & Settlement Systems⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
Official source: RBI/2022-2023/95 on rbi.org.in ↗
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · published · 19 Jun 2026, 09:10 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12363&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.