The Reserve Bank of India’s (RBI) new rules for card payments will lead to a major shift in the payments industry, and provide a major boost to the Unified Payments Interface (UPI) and Bharat Bill Payments System (BBPS). With banks and payment gateways/aggregators implementing new infrastructure to support online and recurring card payments over the coming months, the RBI has indirectly pushed consumers and merchants to use UPI or BBPS for use-cases currently supported by cards, industry experts told MediaNama.
UPI has already overtaken the market share of debit cards for the consumption economy, with around Rs 83,076.25 crore in merchant payments of the Rs 5.04 lakh crore UPI transactions. This is higher than the Rs 56,838 crore worth of debit card transactions either online or at Point-of-Sale devices in the same month, as per RBI data.
The new rules will add friction to the payment experience for customers, require mountains of re-engineering for many payment aggregators and gateways and their merchants, and it could even threaten the business models of many startups, say experts. While the payments industry and merchant firms have approached the RBI to reverse its decision, the central bank has not budged. It has, however, extended the deadline to comply with the new card storage rules, under the Guidelines on Regulation of Payment Aggregators and Payment Gateways, to December 31, 2021 from July this year. At the same time, it extended the timeline for compliance with its new framework for creating e-mandates and processing recurring transactions to September 31, 2021 from March.
Differential treatment for cards vs UPI
From next year onward, every time you book tickets or order food online you will need to re-enter your card details for every transaction. As per the new rules, neither merchants nor payment aggregators can store customer card credentials in their databases. On the other hand, you can link your UPI wallet or store your UPI handle/Virtual Payment Address on the travel or food delivery website or application. This would mean that at the time of checkout, using your UPI to pay for services would be a smoother process than entering card details.
There are security concerns here. A senior executive at a payments gateway firm told MediaNama, on the condition of anonymity, the majority of payments frauds take place on UPI or because of fraudulent merchants, and only a minuscule amount of fraud takes place due to leaked card data.
“Payment aggregators/gateways store the card data in an encrypted format and there are data standards for storing card data securely. But under this policy, the RBI has implemented a blanket ban so that neither merchants nor the payments aggregator or gateway can store card data. Despite similar technologies and similar compliance checks, like the PCI-DSS guidelines, why is there a different regime for different players?”, an executive at a payments gateway company told MediaNama.
To solve the issue of ‘payment friction’ at the time of checkout, the RBI has directed banks and payment aggregators/gateways to implement tokenisation solutions for cards. Industry experts said that it is right for the regulator to be concerned about card security, but it is illogical that the same rules do not extend to UPI payments. A card network company executive told MediaNama, on the condition of anonymity, that while they understand the RBI’s push for tokenisation and restriction of storage of card data by merchants, “if the biggest frauds are happening with UPI, why are you not recommending tokenisation for UPI?”
Others told that MediaNama that the RBI is treating “plastic” as more risky than “digital” forms of payment. “I do not understand why there is so much sensitivity when it comes to cards,” said a senior payments industry executive on the condition of anonymity.
“If your card details are leaked and your UPI handle is leaked, you are more likely to be defrauded through UPI. Fundamentally, the problem is that we do not have a payment security law and as a result we are proxying rules on third-party merchants through payment aggregators and gateway providers”, a payments industry executive told MediaNama.
The comparative convenience will benefit UPI. Seshadri Kulkarni, chief executive officer, DigitSecure told MediaNama that the RBI wants only financial institutions that have direct relationships with a customer to hold that card data.”In the short-term there will be a big impact and there will be a great inconvenience to all the parties involved. Consumers have relied on standing instructions through cards or signing up for subscriptions. It will drive UPI transactions since it is convenient and more people are getting used to it,” he said.
RBI on recurring payments
- Banks need to send pre-transaction and post-transaction notifications to customers before the auto-debit takes place.
- This new framework requires a fair amount of re-engineering on the part of banks, including getting consent of existing customers to set up new e-mandates
- The roll-out of this new system was delayed because of the implementation challenge
How will subscriptions be impacted?
If Netflix or MediaNama (as examples) currently have recurring payments set up for each of their users via cards, users will need to be sent a notification 24 hours before the expiry of their subscription. Thereafter, they would need to make the payment by physically entering card details.
With the apparent “regulatory preference” for UPI and BBPS over cards, “Merchants who use cards for recurring payments will push their users to use UPI for payments or they will on-board themselves as billers on Bharat Bill Pay,” a payments industry executive told MediaNama on the condition of anonymity. What doesn’t help is that “barring one or two players, no one has integrated UPI Autopay yet,” the executive said.
The transition to new payment channels will take time: “Existing solutions like the National Automated Clearing House (NACH) was designed for monthly loan repayments, insurance and mutual fund contributions”, according to the executive at a payment gateway. “Many use-cases, particularly subscriptions or loyalty programmes, may not be able to move to UPI Autopay, NACH or BBPS, immediately. You would need to upgrade these channels to take care of many use-cases that today depend on storing card data,” they said.
Disrupting business models
In early February, several merchants like Flipkart, Netflix and Amazon among others sent a letter to the RBI, through the legal firm J. Sagar Associates, seeking an exemption from the new rules for PCI-DSS Level 1 compliant merchants. MediaNama has seen a copy of the letter.
“Specifically, we believe that the ability to store Card-on-File Data should be predicated on the security measures implemented by an entity rather than where in the payments value chain such an entity sits. In our view, moving data from one party to another with equivalent standards of security will not mitigate security risk but will rather concentrate the card data in the hands of a few players”—Merchants’ letter to RBI
Since Level 1 Merchants undergo the same “on-site technical requirements and compliance validation from PCI-DSS ” that card acquirers, issuers card networks and payment aggregators undergo, they are on par with the same security standards that banks or payment aggregators/gateways follow. The letter asked the RBI to introduce a risk-based framework for merchants and payment aggregators/gateways to store card data.
The letter sent to the RBI also said that as a result of these rules, the business models of many merchants will be disrupted. It also added that if there is consolidation within the payment industry, from a financial standpoint or if only bank payment aggregators/gateways are allowed to store card data, Level 1 merchants will be forced to work with only a handful gateway providers which is not good for competition, infrastructure efficiency or concentration risks.
“Merchants will be unable to provide customized checkout and single click payment, resulting in unnecessary friction for consumers. Without card data, merchants cannot engage in such crucial fraud prevention measures, which will have a huge impact on consumer confidence and adoption of digital payments”—Merchants’ letter to RBI
A senior executive with a third-party merchant told MediaNama that the RBI’s intent is to safeguard the data of the user, but the step taken is a little too harsh. “The government and RBI have been instrumental in promoting digital transactions, but this sudden U-turn has had a second order impact. It solves some part of data storage, but by increasing friction there is a huge drop off for people,” this person said on the condition of anonymity.
“The solution to Juspay can’t be to block access of merchants to payment aggregators, even when they follow PCI-DSS. If HDFC Bank and CRED want to integrate, while conducting audits and checks, why is the RBI blocking this ability. The solution can’t be to ban all entities, reasonable differentiation should be allowed”, this person said.
Tokenisation needs market infrastructure
Industry executives told MediaNama that another factor that will drive the switch to UPI and BBPS is the absence of multiple banks issuing APIs for tokenization and in the absence of a common token switch. According to a card network executive quoted above, the RBI should create a common tokenisation framework and the NPCI should build the infrastructure. “Right now, each payment aggregator/gateway will need to work with individual banks and create their own tokenisation mechanism. There is a scalability challenge since tokenization solutions today exist only between one payment aggregator/gateway and a bank,” this person said.
In its letter to the RBI, the group of merchants said that while card tokenisation is the way forward and the industry will work towards implementing this solution, card tokensiation cannot be an “alternative to storing Card-on-File data today.”
“Creating any new payments product involves infrastructure development by various stakeholders (i.e. card networks, acquiring banks, issuers, payment aggregators, merchants) in the payment ecosystem which may take a few years and therefore RBI and industry will have to discuss and develop a roadmap for effective adoption and implementation”—Merchants’ letter to RBI
An engineer who worked on integrating card payments at a major payment gateway told MediaNama on the condition of anonymity that the RBI needs to push the industry to adopt a tokenisation model based on Application Programme Interfaces (APIs). This person cited Oklahoma-based cloud data security company TokenEX as one of the leading tokenization providers in the United States, stating that India needs similar companies to set up shop here.
“Bank and gateway relations with merchants will be the new intellectual property going forward, as banks that create APIs tokenisation will be the market leaders. The gateway makes an API call to the bank and the bank responds with a status code if the transaction is approved/rejected or if the card should be blocked for any reasons. It will be a hectic time for most gateways to transition to this”, he said.
“You need a common system for tokenisation, which has 12-18 months of development and testing. Right now each credit card has separate tokens for each payment aggregator, it is limited and therefore there are obstacles in my ability to process your transactions,” said the executive with a third-party merchant.
“If we look at it from a long term perspective, the new rules will not impact the payment side of our business, but it will impact the turnaround time, ability to give rewards, subscriptions and handle grievances. It is a revenue hit for banks, card network fee will go down, while alternative products for credit and debit will go up”, the executive said.
Note: MediaNama sent queries to the NPCI, CRED, Flipkart, Amazon, Microsoft and Netflix last week. While Amazon and Netflix declined to comment, responses from others were not received at the time of publication.
- Lessons for the RBI on central bank digital currencies from abroad
- Lending fintechs warrant novel regulation methods to address risks, says RBI governor Shaktikanta Das
- RBI seeks industry inputs on regulating digital lending apps: Report