Evaluating Ecosystem Readiness: RBI’s No-Card-Storage Mandate

By Rohit Kumar and Aishwarya Viswanathan

As we near the June 30^th no-card-storage deadline set by the RBI, there is a lot of anxiety among merchants about the readiness of the payments ecosystem to be able to make a smooth transition. Speculation is rife that the system is far from ready, despite reassurances from RBI’s Deputy Governor that we are ‘by and large prepared’.

RBI’s no-card-storage regime, postponed twice in the past at the request of players within the payments ecosystem, has been set out with a view to reduce fraud and enhance the security of card payments. Under the proposed new regime, only issuing banks and card networks will be allowed to store customer card credentials, while merchants, payment aggregators/gateways and acquiring banks will be required to purge all card data from their servers. To enable the transition, an alternative solution of ‘Card on File tokenisation (CoFT)’ is being enabled. This will allow card details to be replaced with an alphanumeric code (called ‘token’) unique to every combination of card and merchant, and the generated tokens will be used to action payments.

The speculation around ecosystem readiness stems from the challenges involved in the step-by-step integrations that different players have to carry out to enable tokenisation. First, the card networks need to release two APIs – one facing the issuers (the banks that issue cards to the customers) and the other facing the acquirers (the banks that process payments on behalf of the merchants). The acquirers need to then release APIs for payments aggregators and gateways who in turn release APIs for merchants to integrate. Simply put, the transition towards tokenisation is a heavy lift – with all stakeholders in the payments ecosystem having to introduce technical and other operational changes in their systems and processes for tokenised transactions to go through.

So, is the payments ecosystem ready to migrate to the new regime? And will the transition be smooth or will there be disruptions like those seen in October 2021 from the implementation of the e-mandate, or probably even worse?

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.

Asking the right questions

After the extension of last year’s December 31^st deadline, it does look like the payments ecosystem has made progress in transitioning towards the tokenisation regime. Several numbers are being released in mainstream media and closed-door industry consultations, but mostly voluntarily by different players – including by some card networks and payment aggregators/gateways who claim that they have rolled out solutions and are ready to migrate. However, the information being released is selective and does not necessarily reveal the full picture. Most numbers being shared are also just focussing on a few headline parameters related to token generation (technically called ‘provisioning’), while not touching on critical specifics of actual payment processing.

And while the RBI has requested for information from ecosystem players, the information, if received, has not been made public. In the absence of any authoritative release of information by the regulator – how should one establish the veracity of the numbers and/or judge if the ecosystem is truly ready?

Given the lack of clarity around what exactly the RBI considers to be ecosystem readiness, we at The Quantum Hub (TQH) have been trying to piece together the puzzle by speaking to different stakeholders involved in tokenised transactions. While we don’t have all the answers, we have a set of specific questions that can help us comprehend ‘ecosystem readiness’. These cover the lifecycle of a tokenised transaction from token provisioning to token processing, and also examine other special use-cases to understand what one would need to know to truly measure ecosystem readiness.

Token provisioning: Laying the foundation by registering cards as tokens

Major card networks and banks have publicly stated that they have made significant progress with respect to token provisioning and most cards in circulation are now compatible with the new system. While some merchants like Swiggy and MakeMyTrip are already allowing their customers to tokenise cards, others such as Flipkart, Amazon and Myntra said in early June that they are in the final stages of integrations and expect to start tokenising cards in the coming weeks.

In May 2022, Paytm also announced that it had already tokenised 28 million cards. While all of this is good progress, it is also important to note that in most of these cases, token provisioning is not simultaneous with processing i.e., merchants pre-emptively send notifications to customers to tokenise, and tokens are created and stored before a customer actually carries out a transaction.

However, seamless end-to-end transacting, where a user can generate a token in real-time and have a payment processed on the said token simultaneously is likely a better indicator of readiness – and so, it is also important for information to be disclosed on how long it takes for tokens to be simultaneously provided, and what volume of such transactions can the system currently process?

In other words, how long does a customer have to be in session to generate a token and have a payment successfully completed on it? And how does this compare with time currently taken i.e. when processing is done purely based on card credentials, without the need for token creation.

This information is also key to gauging readiness. 

Token processing: Using tokens to process payments in large volumes, at scale

Another key metric that is critical for establishing readiness is the ability of the payments ecosystem to process tokens in large volumes, at scale.

On days with high levels of online traffic – during an e-commerce sale, for instance – the tokenisation regime is likely to be harshly tested. According to the Merchant Payments Alliance of India (MPAI), e-commerce platforms currently execute around 900-1,000 transactions per minute. However, it appears that merchants have so far only been able to process a very small percentage of this desired volume in test environments – which likely implies that the payments ecosystem is nowhere near the desired benchmark.

So far, no authoritative information has been made available. Therefore, to be able to assess readiness, it will be important to know the typical transaction per second (TPS) rates expected of card networks and banks from 1^st July i.e., after the implementation of tokenisation, and a comparison of this benchmark with current test results.

Going beyond vanilla transactions: Building for all use-cases

One of the many reasons behind the boom of the digital payments industry is the convenience it offers both merchants and customers through hassle-free schemes such as refunds, discounts, monthly instalments, recurring payments and others.

In this context, the Merchant Payments Alliance of India (MPAI) cautions that significant disruption in online payments activity is likely as the ecosystem is either without solutions, or has solutions but in very early phases of testing for tokenised transactions for specific use-cases.

Given the lack of readiness for all use-cases, it would be useful to understand whether the RBI has undertaken/ overseen pilots or stress-testing projects to examine the  success of tokenisation for specific use-cases in controlled environments, before the solution is extended to the entire payments ecosystem?

Cross-Border payments: Falling through the cracks?

RBI’s notification says that no entity in the card transaction chain, other than the card issuers and card networks, shall store the actual card data. While RBI has no jurisdiction over merchants, payment aggregators/ gateways or acquiring banks registered outside of India, there are some specific use-cases that may still be impacted. For instance, what happens to onshore India registered merchants such as Uber offering services in other countries via a common mobile app?

By virtue of being registered as a merchant in India, Uber cannot save card data. Now if a customer travels to another jurisdiction that does not support network tokenisation, they may not be able to avail Uber’s service. Uber has, in fact, already announced a temporary limitation on international payments using India-issued cards in some countries.

It remains to be seen when such use-cases will get addressed, but while bigger merchants like Uber may make an attempt to address the gaps at the earliest, smaller merchants may find RBI’s requirements to be too cumbersome and may altogether suspend payments from Indian cards, especially if they have a limited user base in India.

Guest checkouts and non-tokenised transactions: Is a solution in sight?

Finally, there are customers who may choose not to tokenise (colloquially referred to as ‘guest checkouts’). This may happen in instances where the customer is not comfortable saving the card or does not foresee using a merchant service frequently (while booking a one-off airline ticket, for instance). According to industry estimates, guest checkouts constitute a significant chunk of online card transactions in India. Moreover, there could also be merchants who choose not to enable tokenisation systems on their platforms; this could happen because of technical bandwidth constraints, for instance. In either of these cases, card-based transactions will have to be processed by manually entering card details for every single transaction.

Since acquiring banks will not be allowed to store customer card data starting July 1^st, they may have no means to track transactions. This means that everything from settlement of transactions, reconciliation of payments, refunds, chargebacks – the entire lifecycle of the payment, basically – may get adversely affected.

Therefore, to understand readiness with respect to guest checkouts/ non-tokenised transactions, it will be valuable to know what percentage of overall online debit and credit card transactions are likely to be attempted without tokenisation? Moreover, how are these transactions to be handled? Are there any viable alternatives being considered?

So, what now?

For the ecosystem as a whole to be confident that the forthcoming transition will be smooth, the RBI must share information on stress-tests that have been conducted to assess whether tokenised transactions are possible at scale and across use-cases? And if so, what are the success and failure rates of the same? And what is the status of solutions for non-tokenised transactions?

With less than 17 days left for implementation, it becomes relevant to note that while the burden of compliance falls on merchants and payment aggregators, their ability to do so is dictated in large parts by issuing banks and card networks. In other words, it is a skewed power equation, and no matter what course of action a merchant decides to adopt – the degree of risk and uncertainty that follows is high. And the one that stands to lose the most in this uncertainty is the customer. In such a scenario, it is imperative that the RBI steps in and releases necessary information to assuage concerns and check inadvertent actions from ecosystem players. Doing so will be critical to retaining confidence in the Indian payments ecosystem.

Rohit is the founding partner and Aishwarya is an analyst at The Quantum Hub (TQH), a public policy consulting firm based in Delhi

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read: 

• Deep Dive: Why Online Debit And Credit Card Transactions Will Start Failing From July 1

• RBI Allows Diners Club To Start Reissuing Credit Cards In India, Mastercard And Amex Continue To Be Barred

• Summary: RBI Releases Guidelines On Establishment Of Digital Banking Units

• Why Is RBI Against Introduction Of Private Cryptocurrencies In India?