Will India Pay For RBI’s Hurry?

News: The RBI, in Mar 2020, issued guidelines prohibiting merchants (including all e-commerce websites, streaming platforms) and payment aggregators (such as Razorpay and Instamojo) from storing customer card information. These will come into effect from 1st Jan 2021.

In September 2021, an alternative to the current system was permitted. The alternative system is called Card-on-file Tokenisation (CoFT).

But, even though RBI’s move is well-intentioned, a hurried transition can end up disrupting payment systems in India, adversely affecting both customers and merchants.

What is Card-on-file Tokenisation (CoFT)?

CoFT is the process of de-identifying sensitive cardholder data by replacing the actual card details with an alternative code called the “token”, which is unique for every combination of card and merchant.

The 16-digit credit or debit card number will be converted into unique codes. This set of code is called a token. This makes the storage of card details securer than before.

In the tokenisation system, only the card network and issuing bank will have access to card data.

While seemingly ‘simple’, this modification requires an ecosystem-wide change in tech systems and workflows, with sequential compliance from the many entities in the digital payments transaction chain.

What are the potential implications of RBI’s move?

– Can impact Indian startups and small businesses, which may not be well-equipped to transition to the new system in a short period of time.

– Lack of operational readiness: Banks and card networks are not implementation ready. And, it is only post-operational readiness, that merchants will receive the relevant application programme interfaces (APIs) to build, test and integrate a consumer-ready tokenisation solution.

– Reversal of digital adoption gains: If merchants and payment aggregators purge card data and transition to the new system before the ecosystem is ready, consumers will be forced to manually input card details for every transaction. This will make digital payments tedious and can lead to a situation where less tech-savvy customers go back to using cash.

– Increased consumer risk: The need to repeatedly input card details for every transaction could potentially make consumers more vulnerable to phishing attacks, thus increasing consumer risk rather than reducing it as was intended by the regulations.

– Impact on small businesses: It can also disproportionately hurt India’s small businesses and startups that make use of the digital payments ecosystem to retain and grow their customer base.

– Impact on merchants: Purging of all existing card data without an effective replacement system can also make merchants unable to support customers with subscriptions, refunds, cancellations and other customer service requirements. And at the same time reduce their ability to mitigate frauds during the transition period.

What is the way forward?

RBI should undertake a thorough assessment of the ecosystem’s readiness before enforcing guidelines.

Phased implementation: Card networks and banks should be mandated to set up their infrastructure first, followed by merchants.

Allow the current system of card storage and the new tokenisation alternative to co-exist

Lessons can be learnt from the implementation of the revised Payment Services Directive (PSD2) in Europe. In the case of the PSD2 norms, the European Commission set up several working groups & worked closely with industry to adopt standards acceptable to a majority of stakeholders.

Source: This post is based on the article “Will India Pay For RBI’s Hurry?” published in TOI on 23^rd Dec 2021.