Why India’s RBI Tokenization Mandate Is a Wake-Up Call for Global Data Security

The Reserve Bank of India (RBI), India’s state bank, has sparked a substantial discussion within India in light of its upcoming mandate to tokenize Indian cardholder data. Companies that store this kind of data are scrambling to comply, but companies that don’t may be wondering whether this is worth caring about. 

The answer is “yes.” It may point to the future of how data is handled around the world, as companies and governments become increasingly cautious not only about how data is stored, but also whether it should be stored at all. Let’s see what the tokenization mandate is, and why it matters.

What Is the RBI Tokenization Mandate?

While worldwide standards surrounding cardholder data, like the upcoming PCI DSS 4.0, are heavily focused on ensuring that companies take care in storing card data securely, the RBI is taking things to the next level by preventing companies from storing cardholder data from Indian banks. The only entities that can actually store that data are a select set of card issuers

Merchants, payment aggregators, and payment gateways will need to instead use a process called card-on-file tokenization (CoFT). They must store tokens that point to the actual card data, and either directly connect to the card issuer, or use an approved tokenization solution. Each merchant will have a unique token for each cardholder, which means the cardholder needs to enter their card information once per site in order to initiate the tokenization process.

This isn’t the first time international companies have been forced to take stock of Indian cardholder data. In 2018, the RBI imposed a data localization mandate, requiring that payment information from Indian banks could only be stored in India, or processed outside of India provided it be returned to the country within 24 hours.

Many merchants and payment aggregators have expressed concern about the impact of tokenization, and as a result the deadline for the mandate to take effect has been pushed back several times; as of the time of writing, it stands at September 30, 2022. There are ongoing concerns as to whether the required infrastructure will be complete in time, and even if so, proof of concepts for the infrastructure are reportedly very slow. Additionally, if firms don’t support tokenization, or customers opt not to use it, customers will have to input full card data every time they want to make a new purchase. This would invalidate auto-pay services such as subscription and installment plans, while also making refunds a challenge. 

Why Does This Matter?

Before the mandate comes into place, companies that deal with India cardholder data will need to ensure they know where all of that data lives, and purge it. Given that the CoFT system requires extensive setup and administrative coordination, some companies will simply refuse to participate. This includes Apple, which stopped directly accepting Indian credit card numbers earlier this year. 

Beyond the immediate impact on cardholder data, the RBI tokenization mandate represents a major shift in the way that companies and governments view data — namely, as something potentially toxic. If the mandate is successful, it’s possible that other governments will follow India’s example and force companies to stop storing cardholder data. It’s also possible that India and other countries will expand the scope beyond card information to other kinds of sensitive personal identifiable information (PII). We’re already seeing this with legislation like Illinois’ Biometric Information Privacy Act (BIPA), which prohibits storing any biometric data without written consent.

The potential for future data privacy legislation should not trigger an immediate data purge — after all, sensitive data is essential to the way many companies operate — but it should serve as a warning call to recognize the potential toxicity of failing to properly store and catalog sensitive data of any kind. In order to stay ahead of possible mandates, companies need to know exactly what information they have, and which countries it comes from. 

The Crucial Step of Knowing Your Data

Companies can’t assess their data security or prepare to respond to global events like the RBI tokenization mandate if they don’t have a full inventory of sensitive data. Yet, as many as 70% of professionals believe their organization does not know where all of its data is stored. In India now, and potentially worldwide in the near future, a comprehensive data security strategy is more than just a “best practice.” It’s a requirement for doing business. 

When it comes to discovering data, companies can’t afford to choose anything less than the most comprehensive tools available. Enterprise Recon by Ground Labs offers unparalleled speed and accuracy for identifying, remediating & reporting personally identifiable information across an organization’s infrastructure. Whether identifying cardholder data by country to ensure RBI mandate compliance, or simply preparing your organization for whatever lies ahead, it’s the most thorough way to keep your organization’s data safe. 

Want to get started with RBI tokenization compliance? It has never been easier – arrange a workshop with us today.

Want to keep up with all our blog posts? Subscribe to our newsletter!