The Reserve Bank of India has extended the implementation date of card-on-file (CoF) tokenisation norms by six months to June 30, 2022.
This follows a series of representations from several industry players and digital payment platforms who anticipated disruption in online transactions from January 1 when the new rules were to originally kick in. As per new guidelines, online players will have to delete any credit and debit card data stored on their platforms and replace them with token to secure card details of consumers.
While most of the leading banks including SBI, HDFC Bank and ICICI Bank are ready for the switchover, other stakeholders — mostly merchants — argue that the systems at their backend are not yet ready to adopt the new regime and had sought further time in putting new norms into effect.
While extending the guideline, the RBI said that in addition to tokenisation the “industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/ loyalty programme, etc.) that currently involves/requires storage of CoF data by entities other than card issuers and card networks.”
What is tokenisation and why has RBI issued new guidelines?
In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. It applies to domestic, online purchases.
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device. A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online. This could be cumbersome exercise and may impact transaction value, especially when done through stored cards. In case of multiple cards, each will have to be tokenised.
What is the size of the industry and the impact of new guidelines?
India has an estimated 100 crore debit and credit cards, which are used for about 1.5 crore daily transactions worth Rs 4000 crore, according to data shared by participants at a CII seminar on the subject this week. The value of the Indian digital payments industry in 2020-21, as per RBI’s annual report, was Rs 14,14,85,173 crore.
“Digital payments have triggered and sustained economic growth, especially through the trying times of the pandemic… While RBI’s intent is to protect consumer interest, the challenge on ground pertains to implementation,” as per the CII. Online merchants can lose up to 20-40% of their revenues post 31 December due to tokenisation norms, and for many of them, especially smaller ones, this would sound the death knell, causing them to shut shop, according to participants at the virtual session on Digital Payments and the India Media Consumer organised by the CII’s Media and Entertainment Committee.
What’s the consumer impact?
An estimated 5 million customers, who have stored their card details for online transactions on various platforms, could be impacted if the online players and merchants are not able to implement the changes at their backend. E-commerce platforms, online service providers and small merchants could be especially hit. Equated monthly instalments and subscription-based transactions that are paid through stored cards will also have to adhere to new rules. Now, with the latest extension, the RBI expects the systems to be ready for seamless launch in six months.
While 90 per cent of banks are ready for tokens on the Visa platform, Mastercard is yet to catch up. The RBI had banned Mastercard from issuing any new cards on July 14 this year for not complying with data localisation requirements. Even as CoF conversion to a tokenised number is being done, the system is not geared up for processing the tokens as merchants are not ready at their end.
Why did the stakeholders want an extension?
Digital payment firms and merchant bodies had sought urgent intervention of the RBI to extend the deadline for implementation of the new credit and debit card data storage norms, or card-on-file tokenisation (CoF). They wrote to the central bank that if implemented in the present state of readiness, the new mandate could cause major disruptions and loss of revenue, especially for merchants. “Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments,” Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) said in a joint letter. Some banks had also written to the RBI seeking extension of implementation of the new norms, according to sources in the industry.
Newsletter | Click to get the day’s best explainers in your inbox
Industry sources argue that all stakeholders – banks, card schemes, aggregators, gateways, processors, merchants, consumers and the regulator – in effect have to come together for successful implementation of the norms, which requires time and preparation. Specifically, the RBI policy change affects three major players: banks, intermediary payment systems and merchants. Stakeholders sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and payment aggregators/payment gateways.
What is the preparedness of the banks?
While industry bodies claimed in a letter to the Reserve Bank that RBI regulated entities were not prepared in the absence of a hard mandate to comply, banks say “they are seized with the matter” and merchants might require some more time for integration. HDFC Bank, ICICI and SBI Cards already have the card tokenisation system in place for online transactions, while few players have device-based tokenisation (SBI Cards with Samsung) for contactless NFC (near field communication) payments. Other banks have already initiated the process and many are ready with the new system.
SBI Chairman Dinesh Khara had recently said, “It involves integration of the systems between banks and merchants. As far as banks are concerned, they have started working on it. For our purposes, the operative part came in the month of September. As far as merchants are concerned, they might require some more time.”
A report by Emkay Global Financial Services said, “Instead of creating own token generating engine, using the payment networks’ (Visa or Mastercard) engine will be far more cost-efficient and technologically advanced and will have merchant acceptability.” Mastercard and Google on Tuesday announced the rollout of tokenisation that will enable Google Pay users to transact using their Mastercard credit and debit cards. Many banks like SBI, HDFC and HSBC are using Mastercard for transactions.
Three steps have to be completed for smooth implementation of tokenisation. Token provisioning: the consumer’s card number should be convertible into a token, which means the card networks have to be ready with the relevant infrastructure.
Token processing: Consumers should be able to complete their transaction successfully through the tokens.
Scale-up for multiple use cases: Consumer should be able to use the token for things like refunds, EMIs, recurring payments, offers, promotions, guest checkouts etc.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.