The Reserve Bank of India has directed merchants, merchants’ banks, payments aggregators and payment gateways to not store customers’ debit and credit card data on their servers from 1 July, in the interest of cybersecurity. The central bank expects the payments ecosystem of banks, card networks, and PA/PGs to ready token-based card processing as an alternative. However, media reports suggest that e-commerce businesses will not be able to migrate to the new system in time — which is certain to erode consumer trust in digital markets.
Tokenisation is a process by which a consumer’s sensitive information, such as debit/credit card number and expiry date, is converted into an alphanumeric cipher text. This requires a complete overhaul of back-end payment processing systems. Today, a consumer’s raw card details are used to process a transaction. It’s another matter entirely that tokenisation is usually industry-led in major economies and devoid of the regulatory directive to not store card data. Some like Australia mandate technical standards, under which the ability to store card data is predicated on the security measures adopted by e-commerce entities.
Each time a card payment is made, card data and transaction information is securely exchanged over interlinked technological infrastructure within seconds. Due to this interconnectivity, changes have to be planned and implemented in a sequential manner. That is, card networks and cardholders’ banks will have to first develop, test, and integrate the solutions to tokenise cards, for which, media reports suggest, they are not yet fully ready. They will then need to pass these solutions down to merchants’ banks, PA/PGs and merchants for integration and testing, which also takes upwards of three months.
A last-minute implementation rush will adversely impact the value proposition that digital payments offer to merchants and consumers alike. The recent changes to the rules governing recurring payments is a case in point. The payments ecosystem had to transition to a new framework to manage these cycles by 30 September 2021. But the backend infrastructure was similarly not ready. The result was that consumers’ subscription payments kept failing. Nine months later, recurring payments remain a challenge with only about 29 banks implementing the necessary software at the back-end, according to a report in The Ken. Consumers and merchants continue to be impacted, with businesses like Apple recently announcing that they would no longer accept card payments in India.
Bracing for impact
Tokenisation is a two-step process — token generation against the customer’s card, and processing of a transaction against it. Readiness with tokenisation means that this process can be completed not only for one-time purchases but also for recurring payments and EMIs (equated monthly installments). Data storage restrictions will also impact transactions where a consumer chooses not to tokenise her card data and prefers instead to enter the details for each transaction (i.e. guest checkouts). There are no clear solutions to this.
Reports also suggest that existing tokenisation solutions have limited throughput (number of transactions per second) and high latency (time taken to complete one transaction). They are yet to be load-tested at scale to ensure high transaction volumes, and testing for recurring payments has not even begun. With only a few weeks remaining until the 30 June deadline, this is not encouraging. Seamless purchases on e-commerce websites where consumers only have to enter their CVV details and a one-time password, may often fail. Similarly, EMIs and subscriptions of various kinds, including for this digital news website, are likely to not go through.
Need for agile approach
The RBI’s effort to encourage the payments ecosystem to adopt tokenisation is a welcome move. However, since tokenisation requires fundamental changes to the way cards are processed, a transition to it requires continuous monitoring. The RBI already promotes this level of oversight in its framework for regulatory sandboxes, under which an entity tests new products or services in a controlled environment, and allows mitigation of public interest concerns.
There is an urgent need for the RBI to assess industry readiness to process card payments 1 July onwards. It would do well to adopt an agile and flexible regulatory framework that can allow for dynamic responses to the extant adoption challenges. For instance, it could extend the deadline for card data deletion until a readiness assessment is completed. The central bank itself calls for agility with respect to the conduct of monetary policy, its core function. Reflecting these principles in its regulatory toolkit for digital payments is the need of the hour.
Disclaimer: Koan Advisory Group serves as the Secretariat for the Merchants Payments Alliance of India (MPAI), a group of like-minded merchants that accept digital payments.
The authors work at Koan Advisory Group, a technology policy consulting firm in New Delhi. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.
(Edited by Prashant)