The Reserve Bank of India (RBI) on July 28 announced some relaxation to its card storage rules, which are set to get into effect on October 1, 2022. For guest checkout transactions the following are permitted as an interim measure: Merchants and PAs can store card data for 4 days: Other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in the settlement of such transactions, can save the card data for a maximum period of 4 days from the date of the transaction or till the settlement date, whichever is earlier. "This data shall be used only for settlement of such transactions, and must be purged thereafter," RBI noted. Acquiring banks can store card data: For handling other post-transaction activities such as chargebacks and refunds, acquiring banks can continue to store card data until January 31, 2023. What are the new card storage rules: RBI’s new rules prevent merchants (like Amazon and Zomato) and payment aggregators (like PayU and Juspay) from storing the debit and credit card details of customers. The alternative for online card transactions is either guest checkout, where customers enter card details every time, or card tokenisation, where merchants store unique tokens of cards rather than actual card details and process transactions based on the tokens. Why does this matter? Both the alternatives, guest checkouts and tokenisation, are not ready for various reasons (covered in-depth here). This is why RBI extended the deadline from the end of June to the end…
