The Reserve Bank of India (
RBI) in March 2020 had put out
Payment Aggregator and Payment guidelines that bars the merchants from storing card data of customers and disallows
payment aggregators from storing customer card credentials within their database or the servers assessed by the merchant. PAs and merchants will have to most likely adhere to these guidelines by June 30, 2021
According to payment industry experts and executives that ETBFSI spoke to, this could potentially impact digital payments, particularly the card transactions. Further there are three key concerns viz. systemic risk due to technology build up, one size fits all approach, and customer inconvenience.
One-Size-Fits-All Approach
Globally, payment companies and merchants storing card data have to be compliant with Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS is a set of requirements for all companies who process, store or transmit credit card information having to maintain a secure environment.
In that context the RBI in the PAPG Guidelines holds payment aggregators responsible to check PCI-DSS compliance of the infrastructure of merchants onboarded but doesn’t allow the merchants to save customer card and related data.
Experts believe this is a one-size-fits-all approach and will impact customer inconvenience.
“It makes the card payment experience worse for customers and it’s a step not in the right direction. In India we should encourage as many instruments as possible as the digitisation journey has just started. Somebody preferring a credit card shall be offered the same level of experience as somebody using UPI. In this case cards would’ve a terrible experience than any other instrument,” said a CEO of a large Payment Aggregator, on condition of anonymity.
He added, “Even today, first time digital payment consumers still use debit cards, because UPI requires a bit of understanding, onboarding, etc. Making that experience patchy and bad might not be in the right direction to encourage digital payments, because we can’t expect the consumer to every time add the sixteen digits of the card number and other details especially for recurring transactions.”
While PCI-DSS is a recognised standard world over across different jurisdiction, experts suggest if the RBI’s intention is to prevent data breach and leakage of card data, the regulator can add more things like data localisation and other measures with audits but doing away with it and one-size-fits-all wouldn’t make sense.
Mandar Kagade, Founder & Principal at Black Dot Public Policy Advisors said, “The restriction is broad-based and makes no distinction as to the merchants that have invested in the relevant PCI – DSS standards and the ones that haven’t. It applies a one-size-fits-all constraint to all merchants regardless of whether they are compliant of PCI- DSS and is thus inconsistent with RBI’s recognition of it hitherto.”
Mandar added, “Consistency in the regulatory voice is critical for the growth of the payments sector because payments sector participants and FinTechs will invest in technology relying on that consistency.”
Mandar suggests that payments sector participants that are PCI- DSS compliant should be allowed to continue to store card data “in-situ” and others that are not compliant, may be given a time window to on- ramp and upgrade.
According to Ashish Agarwal, Senior Director and Head – Public Policy at NASSCOM, it’s also a case to look at the applicability of the guidelines on international transactions.
Ashish said, “While it is one thing to make the PAPG guidelines applicable in case of domestic transactions, mandating them on international transactions has left the industry a bit puzzled. How will this be mandated with foreign merchants and foreign acquiring banks is not clear. Already consumers can control use of their cards for international as well as e-commerce transactions. So we want RBI to evaluate the application of this on cross border transactions a bit more and clarify how this is planned to be implemented.”
The Case of Tokenisation
If the regulator doesn’t allow the merchants and payment aggregators to store the data on their server, tokenisation could be a way forward. Tokenisation is replacement of card details with an alternate code called “token” which is unique for a combination of card, token requestor and device. In a tokenised transaction the actual card details are not shared with the merchant during transaction processing and the transaction is processed based on the tokens.
Experts believe the industry isn’t ready to roll out full scale tokenisation as there are some limitations at ecosystem level. Currently the RBI has restricted the feature of tokenisation to mobile phones and tablets only.
The CEO of payments aggregator quoted above said, “Tokenisation is not adopted by the industry well, the purpose of tokenisation solves the purpose of not sending card details every-time to the network. But the issuing banks haven’t widely adopted so it’s not widely used.”
To increase the adoption of tokenisation the RBI will have to broaden the applicability to other devices like computer/laptop as well apart from mobile phone and tablets.
Ashish of NASSCOM added, “RBI will have to time the implementation of tokenisation to the ecosystem – we are talking about networks, banks, payment aggregators and merchants. Merchants can’t afford even a small window of disruption and they will be completely dependent on the payments infrastructure. As per our understanding, a minimum of six additional months are needed. The June deadline for PAP guidelines is not looking reasonable. Two things are needed – RBI needs to work with the industry for smooth roll out of tokenisation at scale and only after that the new PAPG should be enforced.”
Ashish also suggests that e-mandate on debit and credit cards, PAP guidelines and tokenisation are all deeply interconnected and without card on file at the end of merchants and PAs, e-mandates can be effectively implemented only through large scale tokenisation at the end of networks and banks, and with PAs maintaining the requisite infrastructure to connect all ecosystem players including merchants, banks and networks, in order to seamlessly transmit unique and merchant-specific tokens. Currently, however, PAs are not geared for that. RBI has set March 31 as the deadline for e-mandate and that needs to be tied into the overall tokenisation rollout plan.
Financial Fragility & Systemic Risk
The restriction on storage of customer cards and related data could make the payments ecosystem systemically fragile as merchants and PAs will be constrained to call the Application Programming Interface (API) of the bank to authenticate the consumer every time for execution of the transaction.
Mandar added, “Significant build- up of technology debt at any one of the banks thus exposes the payments ecosystem to significant systemic failure risk albeit at a low probability, the very definition of ‘grey swan/ black swan’. The concentrated nature of the bank market amplifies this “grey swan / black swan risk.”