RBI issued Tokenisation
Source: By Sunny Verma: The Indian Express
The Reserve Bank of India has extended the implementation date of card-on-file (CoF) tokenisation norms by six months to 30 June 2022.
This follows a series of representations from several industry players and digital payment platforms who anticipated disruption in online transactions from 1 January 2022 when the new rules were to originally kick in. As per new guidelines, online players will have to delete any credit and debit card data stored on their platforms and replace them with token to secure card details of consumers.
While most of the leading banks including SBI, HDFC and ICICI bank are ready for the switchover, other stakeholders – mostly merchants – argue that the systems at their backend are not yet ready to adopt the new regime and had sought further time in putting new norms into effect.
While extending the guideline, the RBI said that in addition to tokenisation the “industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/ loyalty programme, etc.) that currently involves/requires storage of CoF data by entities other than card issuers and card networks.”
In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from 1 January 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. It applies to domestic, online purchases.
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device. A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online. This could be cumbersome exercise and may impact transaction value, especially when done through stored cards. In case of multiple cards, each will have to be tokenised.
India has an estimated 100 crore debit and credit cards, which are used for about 1.5 crore daily transactions worth Rs 4000 crore, according to data shared by participants at a CII seminar on the subject this week. The value of the Indian digital payments industry in 2020-21, as per RBI’s annual report, was Rs 14, 14, 85,173 crore.
“Digital payments have triggered and sustained economic growth, especially through the trying times of the pandemic… While RBI’s intent is to protect consumer interest, the challenge on ground pertains to implementation,” as per the CII. Online merchants can lose up to 20-40% of their revenues post 31 December due to tokenisation norms, and for many of them, especially smaller ones, this would sound the death knell, causing them to shut shop, according to participants at the virtual session on Digital Payments and the India Media Consumer organised by the CII’s Media and Entertainment Committee.
An estimated 5 million customers, who have stored their card details for online transactions on various platforms, could be impacted if the online players and merchants are not able to implement the changes at their backend. E-commerce platforms, online service providers and small merchants could be especially hit. Equated monthly instalments and subscription-based transactions that are paid through stored cards will also have to adhere to new rules. Now, with the latest extension, the RBI expects the systems to be ready for seamless launch in six months.
While 90 per cent of banks are ready for tokens on the Visa platform, Mastercard is yet to catch up. The RBI had banned Mastercard from issuing any new cards on 14 July 2021 this year for not complying with data localisation requirements. Even as CoF conversion to a tokenised number is being done, the system is not geared up for processing the tokens as merchants are not ready at their end.
Digital payment firms and merchant bodies had sought urgent intervention of the RBI to extend the deadline for implementation of the new credit and debit card data storage norms, or card-on-file tokenisation (CoF). They wrote to the central bank that if implemented in the present state of readiness, the new mandate could cause major disruptions and loss of revenue, especially for merchants. “Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments,” Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) said in a joint letter. Some banks had also written to the RBI seeking extension of implementation of the new norms, according to sources in the industry.
Industry sources argue that all stakeholders – banks, card schemes, aggregators, gateways, processors, merchants, consumers and the regulator – in effect have to come together for successful implementation of the norms, which requires time and preparation. Specifically, the RBI policy change affects three major players: banks, intermediary payment systems and merchants. Stakeholders sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and payment aggregators/payment gateways.
