The Reserve Bank of India has postponed the online tokenization requirement for credit and debit cards by six months, until June 30, 2022, providing some relief to online payment systems and online shoppers in India.

The decision comes after companies such as the Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) expressed concerns about the industry's readiness. The industry bodies expressed their concerns about the industry's preparation for the RBI mandate on card-on-file tokenization, citing many management issues that will impede the shift to the token-based payments ecosystem.

The RBI's new requirement was set to take effect on January 1, 2022, and it was likely to affect online payments in several aspects. Merchants can no longer hold the debit and credit card details of Indian customers, according to the new RBI rule. Instead, they must cooperate with payment gateways to implement card tokenization.

Cyber criminals and hackers will have a harder time stealing or misusing credit and debit cards from websites and apps under the new restrictions. The new rules, on the other hand, add some friction to the payment system and make online payments less smooth.

The new rules will be rolled out on January 1, 2022, according to the RBI. Instead, the laws will take effect on July 1, 2022, giving online retailers, apps, and payment processors like Visa and Mastercard time to adapt.

Furthermore, when the new rules take effect, shopping sites and apps will be required to remove all previously saved credit and debit card information for Indian users. This causes problems for services that require ongoing payments, such as Google One's subscription service.

As RBI puts it, “in light of various representations received in this regard, we advise the timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022”.

RBI's decision has elicited diverse reactions. While some people have praised the added security that tokenizing card numbers will bring to online payments and transactions, others fear it will add extra complexity to an otherwise secure system. It's worth noting that, unlike in many other countries where debit and credit cards can be easily exploited for fraud, online transactions in India are more secure thanks to the OTP method. In most cases, all credit or debit transactions in India require the use of a one-time password (OTP), which adds an extra degree of security for consumers.

After June 30, “such data shall be purged”. Until then, RBI says, “industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including charge back handling, dispute resolution”.