Our essence is rooted in being honest and straight forward. We advise and advocate what we truly believe.
Our team and collective efforts allow free flow of information and knowledge from top to bottom and vice versa.
Teamwork is rooted in affluence DNA and we very much acknowledge the outcome of team work.
We firmly believe that Confidentiality is the cornerstone of our Profession and strive to maintain it to the fullest possible extent.
We believe that the simplest solution is the best one.
We understand only our profession and we are devoted to it. We are cent percent committed to the delivery of quality services to our clients.
The Reserve Bank of India (RBI) has been issuing guidelines from time to time on the Regulation of Payment Gateways and Payment Aggregators to regulate the Payment Aggregators (PAs) and Payment Gateways (PGs) in the interest of the consumer as it holds large volumes of consumer data. The new guidelines issued by RBI forbids the PAs and PGs from storing consumer card credentials on their database or server as a financial security measure. RBI has issued norms for regulating payment aggregators and payment gateways through various circulars as amended from time to time and at the request of the industry stakeholders
vide circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 | the authorised non-bank payment aggregators and merchants on-boarded by them were prohibited from storing card data (CoF) from June 30, 2021 |
Vide circular CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021 | further extended to December 31, 2021 |
vide circular CO.DPSS.POLC.No.S-1211/02-14-003/2021-22 dated December 23, 2021 on “Restriction on storage of actual card data [i.e. Card-on-File (CoF)]” | at the request of the industry stakeholders for devising alternate mechanism(s) to handle any use case or post-transaction activity, this timeline was extended to June 30, 2022 |
RBI/2022-23/77 CO.DPSS.POLC.No.S-567/02-14-003/2022-23 Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)] dated June 24, 2022 | the timeline for storing the actual card data i.e. Card-on-File (CoF) has been extended by three months till September 30, 2022 post which new card storage rules shall apply. |
Payment Aggregators (PAs) and Payment Gateways (PGs) are intermediaries playing an important function in facilitating payments in the online space.
A payment gateway acts as a transaction intermediary between merchants and customers while a payment aggregator facilitates fund transfers between two parties and a bank. A Payment Aggregator can provide a Payment Gateway, but a Payment Gateway can’t offer or provide a Payment Aggregator.
With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the CoF data i.e. actual debit card/credit card data. Any previous data stored therein shall be purged. Accordingly, neither the authorized Payment Aggregators (PAs) nor the merchants on-boarded by them can store customer card credentials within their database or server.
All your saved credit and debit card details have to be deleted by 30th September, 2022, and one will need to manually enter all your card details for every online payment. However, your explicit approval will allow merchant authority to work with your bank and card networks to provide you with the same seamless payment experience as it was earlier.
It is observed that considerable progress has been made in terms of token creation. Transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants. Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”) has not been implemented by the industry stakeholders, so far. In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks
Example: – While using amazon application one used to save his/her card details on the said application, just he/she while purchasing anything from the app need to input CVV number followed by OTP and then the transaction use to take place successfully. But from September onwards one need to put all the detail manually such as Card Number, Name, Card Expiry Number followed by CVV and OTP. This measure is taken to prevent unauthorized use of Card.
Tokenization refers to replacement of actual card details with a unique alternate code called the “token”, which shall be unique for a combination of card, token requestor and device
To improve the safety and security of card transaction, RBI has permitted card networks for tokenisation in card transactions for a specific use case.
All Payment System Providers and Payment System Participants authorized card payment networks are permitted to offer card tokenization services subject to the conditions listed in circular DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 08, 2019 on “Tokenisation – Card transactions” to any token requestor (i.e., third party app provider). This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.).
Initially vide circular CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021 on “Tokenisation – Card Transactions : Extending the Scope of Permitted Devices” authorised card networks were permitted to offer card tokenization services to any token requestor limited to mobile phones and tablets of interested card holder only, this facility was subsequently extended to include consumer devices -laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc., vide our circular CO.DPSS.POLC.No.S-469/02-14-003/2021-22 dated August 25, 2021 on “Tokenisation – Card Transactions : Extending the Scope of Permitted Devices”.
This initiative was undertaken by RBI with an expectation to make card transactions more safe, secure and convenient for the users. The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks. All other instructions related to card transactions shall be applicable for tokenised card transactions as well. All extant instructions of Reserve Bank on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also.
In the interest of clarity, the following points may be noted
People are our greatest asset and we believe in our people. Our multi disciplinary team would always go that extra mile to ensure that all the client deliverables are prepared within agreed time frame to technical standards and presentational quality. Our success is greatly dependent on quality and performance of our people.