The Reserve Bank of India’s (RBI) card storage rules, which prevent online merchants (like Amazon and Swiggy) and payment aggregators and gateways (like Razorpay and BillDesk) from storing credit and debit card details of their customers, kick in today despite a lack of clarity on whether or not the payments ecosystem is ready for the change.
The rules were announced in March 2020 and the initial deadline was December 31, 2021. This was then shifted to June 30, 2022, and finally to September 30, 2022, after a lot of pressure from the industry. But despite these extensions, it appears that the payments ecosystem is underprepared for the new system, which comprises two alternatives to storing card details:
- Tokenisation: merchants and payment aggregators store tokenised versions of the card details and process payments based on these tokens, or;
- Guest checkout: customers enter their card details every time they make an online purchase.
Why does this matter? Both these alternatives—guest checkouts and tokenisation—face various challenges (covered in-depth here), and without them being ready, credit and debit card transactions will fail at a higher rate than normal.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
What is the status of card tokenisation?
Card tokenisation involves two steps, 1) provisioning of tokens, which is a unique number issued by the card network (Visa, Mastercard) based on a combination of card details, merchant, and device, and 2) processing transactions using these tokens.
Decent progress for one-time transactions: “There’s decent progress made on provisioning and processing for one-time transactions,” Mohit Kalawatia, Senior Associate at Koan Advisory Group, told MediaNama. As for provisioning, the success rate is around 90-95 percent, the Merchant Payments Alliance of India (MPAI), which represents companies like Microsoft, Netflix, Spotify, etc, said in a submission made to the RBI. And as for the processing of transactions using tokens, the success rate was around 60-65 percent as of early September, the alliance stated. “As opposed to where we were a couple of weeks ago, the ecosystem is now stabilising. Though still not at the same level as transactions using your card number, we do expect it to progress at a decent steady pace, and hopefully, we will be around the success rate as we have on normal card transactions in 15 to 20 days,” Kalawatia said.
Not ready for recurring transactions: Recurring transactions, such as subscriptions, which now follow the e-mandate regulations pose a harder challenge, Kalawatia said. As per this regulation, recurring transactions cannot take place automatically on a set date like they used to. Instead, customers will first need to set up something called an e-mandate for recurring payments. Then, for each recurring transaction above ₹15,000, users will receive a message from the bank 24 hours before processing the transaction. The user will have to approve the transaction through an annoying and cumbersome multi-step process. For transactions below Rs 15,000, users will still be asked each time if they wish to cancel the upcoming transaction or not.
“It’s a bit more complex because we have three processes broadly: first is mandate creation, wherein you create a new mandate for a subscription using the token and without using any card data, second is the migration of existing mandates which are based on your card number to the token-based ecosystem, and third is ensuring that a mandate or a recurring payment happens using the tokens,” he explained. “Merchants have limited visibility on token processing solutions for recurring (auto-debit) payments,” MPAI stated.
“On mandate creation, it’s not promising. Some card networks are better prepared to an extent than others, some are not prepared at all. And on migration, merchants are just starting to migrate or have just received the go-ahead from the upstream partners,” Kalawatia said.
As for processing mandates based on tokens, Kalawatia divided the merchants into two groups, merchants who have some sort of competency to test things in-house and merchants who rely entirely on aggregators and gateways, which most Indian merchants fall under, explaining that:
- “Merchants who rely on the aggregators and gateways have no visibility as to how things stand right now. What they’ve been hearing from their upstream partners is some sort of a verbal assurance without any sort of demonstration as to whether things will be ready. Some merchants heard that testing at the upstream partner will start in the last week of September, which is three-four days before the deadline.”
- “As for merchants who have some in-house capacity to do tests, the results aren’t promising at all. For all mandate renewals, which is the processing of recurring transactions using tokens, the success rate is around 30 percent, which is far below the success rate when you process based on your PAN number, which is between 85-90 percent.”
No clarity on readiness for EMI-based transactions: Another use case for tokens will be EMI-based transactions, where the customer can split their payment over multiple months. “On EMIs, again, there is no clarity on where the upstream partners like payment aggregators and gateways are. So it’s on the same boat as recurring mandates,” Kalawatia remarked.
What is the status of guest checkouts?
While the industry remains underprepared for token-based transactions, with guest checkouts it’s a different story because of relaxations announced by the RBI in July. For guest checkout transactions, the following are permitted as an interim measure:
- Merchants and PAs can store card data for 4 days: Other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in the settlement of such transactions, can save the card data for a maximum period of 4 days from the date of the transaction or till the settlement date, whichever is earlier.
- Acquiring banks can store card data: For handling other post-transaction activities such as chargebacks and refunds, acquiring banks can continue to store card data until January 31, 2023.
“Therefore, the challenge here is, to an extent, not immediate because of the relaxations,” Kalawatia opined. “To be honest, I don’t think the January deadline is enough to come up with an alternative solution. But I guess we’ll cross that bridge when we come to that. Right now, the focus is on token-based transactions. (emphasis ours)”
Before these relaxations were announced, the acquirer bank, which is the bank used by the merchant, was not allowed to store the card data. But because of the way systems are built today, if the acquiring bank does not have the card information, the payment is bound to fail. Additionally, without the card information, acquiring banks would not have known who to return the money to in case of a failed transaction or refund.
What should the RBI have done differently?
- Should have provided a staggered deadline: “You can’t have one deadline for all ecosystem participants, you need to have a staggered approach. It should essentially flow from where the participants sit in the value chain. First, the banks should be ready, then card networks, then your payment aggregators and gateway, then finally your merchants. What we’re seeing is everyone is simultaneously developing solutions, testing things out and then doing a lot of trial and error and then scrambling to meet the deadline, which I think isn’t the ideal scenario for implementing any regulations that impact the digital payments industry at large,” Kalawatia said. “We are not comfortable with the deadline, but the problem is it’s difficult for us merchants to say how much time we will need, we can’t make commitments on behalf of our upstream partners,” he added.
- Should have asked different ecosystem participants to demonstrate readiness: “RBI should have taken a really in-depth stock as to where we are given that we do hear different things from different ecosystem participants. It’s time RBI starts asking ecosystem participants to demonstrate readiness,” Kalawatia said. The RBI should mandate “card networks and payment service providers to share a status report to demonstrate their readiness to fulfil tokenized transactions across all use cases,” MPAI also said in its submission.
- Ecosystem readiness should be viewed from a consumer perspective: Ecosystem readiness around tokenisation should be “viewed from the consumers’ perspective. In other words, a consumer should be able to seamlessly make payments online using tokenized (masked) card details,” MPAI, along with NASSCOM, said in their joint submission to the RBI.
RBI has no idea of industry preparedness
Worryingly, RBI has no idea of how ready the payment ecosystem is for its new card storage rules. In response to a Right to Information (RTI) request filed by The Quantum Hub (TQH), the central bank on June 17 said that it has no information available on how many tokens have been provisioned by card networks like Visa and Mastercard, how long do token-based transactions take to complete on average, what the expected transactions per second rates are when using tokens, how many payment aggregators/payment gateways have provided final Application Programming Interfaces (APIs) for integration to merchants, whether testing was conducted using tokens, whether testing has been done for special use-cases like refunds, chargebacks, EMIs and recurring mandates, whether testing has been done for the guest checkout use case, etc.
Why doesn’t RBI want merchants and payment gateways to store card data?
“Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc. [Card-on-File (CoF)] citing cardholder convenience and comfort for undertaking transactions in future. While this practice does render convenience, the availability of card details with multiple entities increases the risk of card data being stolen/misused. There have been instances where such data stored by merchants, etc., have been compromised. Given the fact that many jurisdictions do not mandate Additional Factor of Authentication (AFA) for authenticating card transactions, stolen data in the hands of fraudsters may result in unauthorised transactions and resultant monetary loss to cardholders. Within India as well, social engineering techniques can be employed to perpetrate frauds using such data,” RBI explained.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- RBI Eases Card Storage Rules For Acquiring Banks, Merchants, And Payment Aggregators
- RBI Has Zero Info On Payment Ecosystem Readiness For New Card Storage Rules, RTI Reveals
- RBI Extends Deadline For Card Storage Rules To September 30
- Deep Dive: Why Online Debit And Credit Card Transactions Will Start Failing From July 1