E-tailers can’t store your card data, says RBI

Source: TOI

What is the News?

Reserve Bank of India is all set to implement its revised set of guidelines on the card data storage policy from January 2022.

RBI’s Guidelines on Card Data Storage Policy:
  1. As per the guidelines, Payment Aggregators(PAs), Payment Gateways and online merchants shall not store card credentials of customers in their database.
  2. This means that customers who own a debit or credit card will have to enter their 16-digit card details — name, card number, expiry date and CVV — every time they do a transaction.
  3. The reason behind these guidelines is a series of ransomware attacks in the country, where computer networks open to the internet have been hijacked by malware.
What is the alternative method available?
  1. Payment aggregators and online merchants can implement tokenization as one of the alternative methods.
  2. The term tokenization means converting a meaningful piece of data, such as an account number, into a random string of characters known as tokens. 
  3. This ensures that the card information remains masked and helps prevent data theft and fraud. Moreover, these tokens have no meaningful value if breached.


  • Payment Aggregators: They facilitate e-commerce sites and merchants in accepting payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. Example: Billdesk.
  • Payment Gateways: These are entities that provide technology infrastructure to route and facilitate the processing of an online payment transaction without any involvement in the handling of funds.
Print Friendly and PDF