With thousands of stakeholders yet to onboard the tokenisation platform and “RBI regulated entities not prepared” for the new initiative, digital payment firms and merchant bodies have petitioned the Reserve Bank of India to extend the deadline for implementation of the new credit and debit card data storage norms, or card-on-file tokenisation (CoF). The RBI mandate on tokenisation kicks in from January 1.
If implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants, they said in a letter to the RBI. “Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments,” Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) said in a joint letter. They have voiced their concerns over industry readiness on the RBI directive on card-on-file tokenisation and urged the central bank for an extension of the December 31 deadline for implementation of card data storage norms. Sources said some banks have also written to the RBI seeking extension of implementation of the new norms.
An estimated 5 million customers, who have stored their card details for online transactions on various platforms, could be impacted if the online players and merchants are not able to implement the changes at their backend. E-commerce platforms, online service providers and small merchants could be especially hit. Equated monthly instalments and subscription-based transactions that are paid through stored cards will also have to adhere.
Online merchants can lose up to 20-40 per cent of their revenues post December 31 due to tokenisation norms, and for many of them, especially smaller ones, this would sound the death knell, causing them to shut shop, according to participants at a virtual session on Digital Payments and the India Media Consumer by the CII’s Media and Entertainment Committee on Wednesday.
“India has an estimated 98.5 crore cards, which are used for about 1.5 crore daily transactions worth Rs 4000 crore. The value of the Indian digital payments industry in 2020-21, as per RBI’s annual report, was Rs 14,14,85,173 crore. Digital payments have triggered and sustained economic growth, especially through the trying times of the pandemic…While RBI’s intent is to protect consumer interest, the challenge on ground pertains to implementation,” the CII said in a statement. In September, the RBI prohibited merchants from storing customer card details on their servers with effect from January 1, and mandated adoption of CoF tokenisation as an alternative to card storage.
What is tokenisation
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device.
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device. A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online.
Digital firms blamed the banks for laxity in implementing the RBI directive. “In the scenario that banks are lax on preparedness, the brunt of that will be borne by merchants in the form of loss of revenue. We are looking at revenue losses of anywhere between 20-40 per cent at the minimum should that be the case.
It’s also important to note that it’s only after the readiness of bank, card networks and API’s are made available that merchants are even able to take effective measures on their part to comply,” said Sijo Kuruvilla George, executive director, Alliance of Digital India Foundation, a think tank for India’s digital start-ups.
Stating that the “RBI regulated entities are not prepared”, the letter said the RBI policy change affects three major players: banks, intermediary payment systems and merchants. “Merchants cannot start the testing and certification of their payment processing systems until banks, card networks, and PA/PGs are certified and live with stable APIs for consumer-ready solutions,” the joint letter said. The two bodies have sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and payment aggregators/payment gateways, as well as the generation of consumer awareness about the impact of the policy change. They claimed in the letter that “RBI regulated entities are not prepared in the absence of a hard mandate to comply”.
According to Vishal Mehta, Chair of Governing Council of the MPAI (a consortium of merchants that leverages digital payments), this unpreparedness will impact recent digital payments adopters even deeply. The frequency and intensity of phishing attempts will go as entire card details are to be entered for each transaction, causing significant rise in irreversible fraudulent transactions, Mehta said.
