What changed
The earlier deadline of June 30, 2022 for purging stored CoF data has been extended to September 30, 2022. This follows stakeholder discussions noting token creation progress but slow merchant adoption and lack of a guest checkout alternative.
What it means for you
Banks and payment aggregators get three more months to comply, but must accelerate tokenisation and guest checkout mechanisms. Non-compliant entities risk regulatory action after September 30. The extension signals RBI's willingness to accommodate industry readiness while maintaining data security goals.
What you must do
- Ensure all stored CoF data is purged by September 30, 2022, except for card issuers and networks.
- Accelerate tokenisation adoption across merchant categories to handle recurring and one-time transactions.
- Develop and implement a guest checkout solution for manual card entry transactions before the deadline.
- Audit current data storage practices and confirm compliance with the tokenisation framework.
Who it affects
Payment system providers, Payment aggregators and gateways, Merchants storing card data, Card issuers and networks (exempted from purging)
What is the new deadline for purging CoF data?
The deadline has been extended to September 30, 2022. After this date, no entity except card issuers and networks can store actual card data.
Why did RBI extend the deadline?
Token creation has progressed but merchant adoption is slow, and a guest checkout alternative for manual card entry has not been implemented yet.
Does this affect guest checkout transactions?
Yes, the industry must implement an alternate system for guest checkout before the new deadline, as it remains unresolved.