As a step towards enhanced safety of digital payments in March 2020, the Reserve Bank of India laid down new rules for the tokenization of card data. The Payment Aggregator and Payment guidelines published by the RBI, Payment Aggregators (PAs) and Payment Gateways (PGs) prohibited merchant sites from storing customer card credentials (also known as card-on-file) within their database or on their servers.
With tokenization, card details would be replaced by a unique code or token, allowing online transactions to go through smoothly without any exposure to the sensitive card credentials of the customer.
The deadline to comply with these guidelines was first set on December 31, 2021, by when it was expected that banks, card companies (Visa, Mastercard) and other stakeholders – PAs, PGs and merchants would establish the mandatory infrastructure to remodel their systems for the tokenization process and purge all card-on-file (CoF) data. Since then the deadline has been extended twice, first to June 31, 2022 and then further to September this year. Each time the extension was done due to the delays in setting up the new infrastructure by the payments ecosystem and the possibility of disruption and inconvenience to cardholders.
Once again as the deadline draws closer, confusion and hesitancy linger. While most of the big merchants and e-commerce players like Amazon have their systems in place, it is the small merchants who are struggling to set up the necessary infrastructure and revamp their systems.
The Merchant Payments Alliance of India (MPAI) has voiced its concern with the RBI regarding pending issues with the token for recurring payments. The failure to smoothly implement token flow could result in system lag, disruption and a reduction in merchant revenue and therefore they feel that these issues need to be duly addressed. Even though merchants have been assured verbally by partners, these assurances hold little value unless tested on the platform. Small merchants are struggling and need more time to be ready for handling tokenized transactions. Their lack of resources and dependency on PAs and PGs inhibits them from starting any meaningful testing of token solutions for their customers.
The MPAI is of the view that for end consumers to successfully conduct payment transactions using tokenized card details, the ecosystem must be ready. However, merchants who rely on payment aggregators and payment gateways are yet to make significant progress.
Autopay is another concern with tokenization. There is limited clarity on recurring payments as compared to other regular payment flows. To keep track of mandate IDs and in the process of recurring payments, accessibility of bank identification numbers (BINs) from card networks is essential. However, the progress in this area is limited.
Looking at the above scenario, the merchants would be more comfortable with a further deferral of the deadline. The industry experts are unsure of the preparedness of the ecosystem. The beta version testing takes more or less 90 days and the smaller merchants have yet to implement testing of token solutions for their customers. Moreover, the switch of their existing customers to the new systems has not yet happened.
Despite multiple extensions, the problem of synchronization among the stakeholders continues and the ecosystem is still not prepared for all cases. A further extension would only be effective if complemented with a detailed assessment by the central bank and a remedial follow-up to plug the loopholes.
There is a need for clarity backed by data and numbers in terms of preparedness. This will be possible when RBI releases a status report to throw clarity on infrastructure readiness and instill confidence in the merchants so the switchover to tokenization is smooth.