From July 1, payment aggregators and gateways and merchants onboarded by them will not be able to store credit and debit card information of customers on their platforms, as directed by the Reserve Bank of India. There’s only a little over a month left, and merchants are worried that an alternative system may not be ready on time.
Payment aggregators, payment gateways, and merchants can only store card credentials of customers in their databases until June 30, a deadline that has already been extended twice, most recently by six months on December 23.
Since there is no alternative mechanism, customers using credit or debit cards will have to enter the same information for each transaction, including the 16-digit card number, expiration date, and card verification value (CVV).
Visa, Mastercard, and RuPay are working on implementing an alternative – Card on File Tokenization (CoFT) – that replaces the card details with a ‘token’, which is unique for every debit or credit card and merchant platform where it is used.
However, the Merchant Payments Alliance of India (MPAI), whose members include Netflix, Disney+ Hotstar, Spotify, Zoom, Microsoft, and Policybazaar, says the ecosystem isn’t ready to implement CoFT for all use-cases.
Tests are ongoing.
In a letter sent to the RBI, the alliance expressed its concern that erasing card data from all platforms without a fully-prepared alternative might lead to disruptions for consumers and revenue losses for merchants.
In India, Apple has already told customers that it will not accept credit and debit card payments and asked them to pay for subscriptions using net banking, the United Payments Interface or their Apple ID balances.
“At this point in time, it will be very hard to usher in a seamless transition to the new regime,” said MPAI secretary Vivan Sharan. “While networks are ready with the required infrastructure to create tokens, work is still ongoing to process payments successfully using tokens.”
The development or testing stage also involves processing large volumes of transactions on tokens and ensuring transactions are processed quickly. Merchants lack clarity on the execution of guest checkouts and how they can implement cashbacks and rewards without access to card data.
“Currently, e-commerce platforms execute around 900-1,000 transactions per minute,” said Mohit Kalwatia, a member of the MPAI Secretariat. “During testing with tokens, merchants have been able to process only two to eight transactions per minute.”
The success rate of those two to eight transactions was less than 1 percent, Kalwatia added.
“So, in a real-world scenario, at the current readiness, you will see only 0.05 percent of the 900-1,000 transactions going through,” he said.
According to a payments company executive who did not wish to be identified, the card networks are in talks with the RBI for clarification on these fronts.
“For some of the issues, there are solutions but they all include temporary storage of card data,” the executive said. “The card networks are yet to get a response from the RBI on these proposed solutions. What the ecosystem is worried about is that if the card networks come up with an RBI-approved solution very close to the deadline, then it will be very difficult to implement them in time.”
Deadline extension?
Opinions are divided on whether the RBI will consider requests to extend the deadline to purge data again.
“Looking at the readiness, the RBI may extend the deadline again,” said former finance secretary Subhash Chandra Garg. “But that is just handling the issue symptomatically. In my judgement, the RBI should rollback these guidelines and simultaneously allow tokenisation to be implemented with more checks and clarity. But eliminating card details will not be in public interest.”
However, the executive said the RBI is unlikely to budge again.
“No discussions of an extension may be entertained by the RBI this time. The regulator will say that we are still in exactly the same position as six months ago,” the executive said.
There will be a second major disruption in payments after the central bank’s recurring payment norms resulted in failed subscriptions and revenue losses for small businesses.
But recurring payments made up only 3 percent of all payments in India. These norms, on the other hand, will have a wider impact, affecting all card payments.
According to Rameesh Kailasam, CEO of IndiaTech.org, which represents tech startups, the larger issue is that customers too are not completely aware of how CoFT will work.
“There is nothing which has been done for customers’ capacity building and handholding. Our request is that the RBI should do a status check to see if the market is ready. Banks and card networks need to be ready for the experience to be frictionless and smooth for the customer,” he said.
Once card networks and banks are ready with tokenisation, they will have to share the application programming interface (API) with merchants for them to align their own systems.
MPAI’s Sharan said, “When we ask for an extension, we don’t mean to say we don’t want to purge data. We are happy to do that and have lighter servers. For us, it is just a question of implementing this when everything is in place without any setbacks for customers or merchants.”