Digital Revolution in India
The economic and financial transformation in recent years, due to initiatives like Demonetization, Digital India, UPI, Jan Suvidha undertaken by the Government of India has seen most of the country from the common man to small businesses to large corporations and the government, conduct business and financial transactions digitally with ease, doing away with the use of cash for payments.
Online shopping and digital payments have risen exponentially in the past few years due to a rise in smartphone penetration, India’s biometric identity card, cheap internet data and access to electricity across the length and breadth of India from the metros to the remotest villages. We use digital payments not only foronline shopping transactions but for all kinds of financial transactions for payments that cover the complete spectrum ranging from our daily needs like groceries, utility bill payments, medicines, food delivery, clothing, essentials, travel, entertainment, investment, and taxes.
Digital payment solutions and apps like UPI, Paytm and Amazon Pay have grown rapidly recently since they offer both – ease of use and convenience.
The outstanding growth in UPI transactions
Ever since banks uploaded their Unified Payments Interface or UPI apps on Google Pay in 2016, it offered immediate money transfer through a mobile device at any hour of the day, all through the year. Since the application involved limited use of cash, online payments saw an astounding growth overnight. According to a report by CSLA, the value of digital payments in India will grow to $1 trillion by the financial year 2026. The initiative by the government to link bank accounts, Aadhar cards and mobile connections will garner people to trust online payments solutions further.
Impact of the Pandemic
The onset of the pandemic and the resulting lockdowns saw a rise in digital transactions in India. The scare of the virus confined people to their homes with bare minimum interaction with the outside world. Paper money transactions were replaced by Unified Payments Interface (UPI) and online banking to meet daily needs during the pandemic.
Need for Data Security, Data Privacy, Fraud Prevention
This rise in digital transactions has created an urgent need for addressing the risk of exposure of the transactions and the providers and users to cyber threats from hackers and offenders and the critical need for data security, data privacy and protection and prevention of financial fraud.
Proposed Regulations and Guidelines
As a step towards enhanced safety of digital payments, in April 2020, the Reserve Bank of India published the Payment Aggregator and Payment guidelines (PAPG) that bars merchant sites from saving customercard credentials (also known as card-on-file) within their database, or the servers assessed by the merchant. Ithas further introduced the process of tokenization.
What is Tokenization?
In lieu of sensitive consumer data and the 16-digit card account number, a unique set of characters known as tokens will now be used. Whilst allowing secure payment processing, these unique identifiers will protect sensitive payment-related information. Once implemented, disclosure of debit or credit card number, the CVV number, or the expiry date will not be required for digital payments. Issuance of different tokens for the same card payment on various platforms will thereby lessen the risks of financial theft or fraud.
Even if there is a breach, the merchant will have no accessibility to consumer data that can be stolen or misused. In this manner, tokenization safeguards businesses from the negative financial impact of data theft.
Issues and Impact of implementation of Tokenization for the Industry and the User
As per RBI’s annual report, the value of India’s digital payment industry in the year 2020-21 was approximately 14,15,00,000 crores. With an estimated 100 crore debit and credit cards that are used for daily transactions, the implementations of new guidelines require a focus both on implementation as well as the security aspect. If e-commerce platforms, online service providers, and merchants are not able to execute the changes at their backend, the new mandate could cause loss of revenue and erode trust in digital payments.
While this directive from the RBI is right in intent, its “one size fits all” criteria may not apply to all use cases. It could lead to an obstructive flow of online payments especially in subscription businesses and payments that are device agnostic. Customers will experience hiccups in subscription-based services that require recurring payments, refunds, service requests and while switching payment aggregators. If merchants and payment aggregators are restricted from storing customer credentials, this could impede business operations and leave a ‘not so sweet’ customer experience. Taking into consideration the low level of digital literacy in the country, the new guidelines will require consistent user inputs for renewal which will affect India’s long-term goal of financial inclusion.
There have been lacunae regarding the applicability of the PAPG guidelines since the notification was issuedby the RBI and several stakeholders had reached out to the RBI to seek clarifications. Since cards are the preferred option to make online payments, industry stakeholders feel that a switch will have second-order effect on the customers, merchants, and the entire digital payment ecosystem in the country. The customerswill have to manually re-enter card details for every transaction making the user experience faulty. Merchantsmay see a drop in their conversion rates because of transaction failure due to input errors and the cumbersome entry methodology.
The digital payment ecosystem could also be vulnerable to systematic failures and specification mistakes since a large volume of API authentications will need approval from issuing banks for processing everytransaction. Despite the risk, RBI is determined to limit the number of participants in the payments ecosystem that are privy to card-on-file data and wants to completely wipe away the storing of customer information bymerchants.
While ‘tokenization’ is a plausible solution to tighten data security, the technology around it is relatively new in India with limitations at the ecosystem level. It needs considerable investment and infrastructural development by stakeholders (including card network operators, banks, PAs, and merchants) over a period so that tokenization becomes a viable alternative to card-on-file data. The following aspects must be considered for tokenization:
- Digital payments foster economic growth while providing convenience and security to the consumer. Regulations need to be checked to see that they are not arbitrary, there is a clear relationship between aim and the policy devised and that it is risk proportionate with minimal interference to stakeholders.
- While chalking regulations all the stakeholders must be given priority and must be formulated in a manner that the consumers are comforted in the digital space and enjoy the user experience. Digital transactions must focus on 4S’s – straight, secure, simple, and swift.
- The purpose of PAPG guidelines is unclear. If the purpose of using tokens is security and safety, then the PCI Data Security Standard (PCI DSS) compliance which is a globally accepted standard isenough to prevent data breaches. It then doesn’t matter who implements it. The matter, at best should then rest in the hands of India’s data laws.
- Internet frauds are conducted by cybercriminals and not by payment aggregators and merchants. The internet scams happen due to third-party hacks and therefore it is hardly rational that preventing PAs and merchants from storing customer credentials will lessen cybercrimes. Adopting a complex system where perpetual authentication will be required, will drive the consumers away from the digital ecosystem especially those in the low-income groups who are hesitant to adopt any change that they do not comprehend easily.
- The “Payments and Settlement Systems Act, 2007” set up by the RBI provides for the regulation and supervision of the payments systems in our country. System providers that operate either clearing or payment or settlement services fall under the category of payment systems and do not includemerchants. Hence, the apex institution does not have the jurisdiction to regulate merchants.
Tokenization is the way forward to secure transactions with minimal disruption to the check-out experience, but it requires major infrastructure changes by banks and merchants to accommodate the encryption process. While it is important to instill customer confidence, it should not be done at the cost of their convenience. RBI should approve the principles and standards for tokenization and entities that conform to the same must be allowed to store card details rather than restricting them to only issuing banks and networks.
What is of more importance today, need to ensure safety of people and sellers or tweak a system that is robust?