Tag: payment gateways

Industry welcomes RBI’s move to extend scope of tokenisation to all consumer devices

Banking & Finance

[ad_1]

Read More/Less


Industry associations representing consumer tech startups and payment companies have welcomed RBI’s move to extend the scope of tokenisation from mobile phones and tablets to include all consumer devices (such as laptops, desktops, wearables, and IoTs etc).

This update comes in the background of an RBI norm that prohibits payment gateways and payment aggregators from storing customer card details. The central bank has given a deadline of January 2022 for stakeholders to comply with this norm and has worried consumer tech start-ups about its impact on consumer’s ease of payments.

Commenting on the new RBI update, IndiaTech, which is an industry association of Indian start-ups including Ola, hike, Makemytrip, and Nykaa among others, welcome the extension of tokenisation to all consumer devices.

However, Rameesh Kailasam, CEO of IndiaTech added that there will continue to be challenges should banks not extend timely support. “Such a regulation should be made mandatory for all banks, it should not be optional as is the case presently. Device tokenization does not support recurring use cases, while COF (card on file) tokens, if allowed, provides strong “merchant cardholder binding” security. Banks should ideally be mandated to do COF tokens. We also look forward to PCI DSS Level 1 (Payment Card Industry Data Security Standard) certified entities being allowed to store card data,” he said.

Further, Vishwas Patel, Chairman of Payment Council of India (PCI), which represents payment companies in India said “we welcome this initiative as facilitation in payments will have to be medium agnostic to enhance customer experience. RBI after due review has permitted this customer experience enhancing measure.”

PCI claims to be closely working with RBI on charting a roadmap of the possible solutions that would not require the industry to enter their card details every time they want to make an online purchase. PCI added that these solutions will adhere to the security checks, controls and frameworks prescribed by RBI.

The central bank’s motive to bring these rules was to guard customer data against the frequent data breach cases in tech companies. Cybercrime cases in India have grown exponentially since the pandemic. As per the data shared by Union minister of State for Home G Kishan Reddy with the Lok Sabha in March, between August 30, 2019 and February 28, 2021, 3.17 lakh cybercrime incidents were registered on National Cyber Crime Reporting Portal in India.

[ad_2]

CLICK HERE TO APPLY

Leave a comment , , , , , ,

RBI against dropping card data storage clause in new rules, BFSI News, ET BFSI

Banking & Finance

[ad_1]

Read More/Less


The Reserve Bank of India (RBI) has rejected a demand by India’s payment gateways for exemptions on select new regulatory norms that are set to prohibit merchants from storing card details and payment operators from offering one-click checkout service to consumers from January 2022, three sources aware of the matter told ET.

The new Payment Aggregator/Payment Gateways (PA/PG) rules will mandate every online merchant processing transactions for customers to only have access to a ‘tokenised’ key linked with the consumer’s cards instead of the entire card file. While authorised card operators will be allowed to store card details for seamless processing of redressals and chargebacks, the new rules will prohibit the usage of this data even by authorised operators for auto checkouts.

This means millions of card holders – both debit and credit – making payments online in 2022 may have to enter their 16-digit card numbers every time they make a payment online as opposed to just authenticating these transactions through the CVV (card verification value) and the one-time password (OTP) as is the current norm.

“The RBI’s new rules have been framed keeping security of the consumers as paramount,” said an industry official aware of the matter. “The current system, while seamless, is prone to breaches and cyber risks as customer card details are being stored in the servers of merchants not directly under the supervisory purview of the central bank.”

The Payments Council of India (PCI) lobby group has suggested alternative solutions beyond encryption through tokenisation–such as secure reference on file–to minimise customer inconvenience. They argue that as licensed aggregators are storing card data on isolated servers for chargeback references, these may be used for allowing one-click checkouts subject to consumer consent.

PCI has also sought a further extension of the deadline for compliance in its letter to the RBI.

“To allow regulated entities to develop and implement solutions that meet the criteria, as well as to ensure consumers are informed, we request sufficient time to be allowed to ensure the entire card ecosystem is prepared to handle card transactions under new solutions without adverse unintended consequences,” said the letter reviewed by ET.

To be sure, the rules were initially set to be enforced from July 2021. The RBI extended this by six months after the industry lobbied for it.

The RBI didn’t respond to queries.

The gateways say customers will see experience friction in subscription-based services that require storage of card data to bill them on a recurring basis. Without the customer data, merchants will have to ask for the card information in every billing cycle, which will result in business disruption, they say.

“While this directive from the RBI is right in intent, it leads to a blanket prohibition for service provider merchants from storing customers’ financial information, even when the said merchants may have the requisite security norms in place or may intend to have one for the same, thereby affecting smooth flow of online payments,” said Rameesh Kailasam, CEO and president of IndiaTech, an industry grouping of startups.

Earlier in the year, IndiaTech had made representations to both the RBI and the finance ministry to allow merchants with adequate security compliances to handle customer data without encryption to prevent disruption to seamless checkouts. Kailasam said IndiaTech is preparing another representation to reiterate this point to the central bank ahead of the deadline.

“It is important to understand here that from a practicality standpoint, device tokenisation may not work in all use cases, like subscription businesses and payments that are device agnostic,” he said.

ET reported Thursday that at least 30 firms including Tata Group, Amazon, Zomato and PhonePe have applied for PA/PG authorisation under the new RBI rule, which was formally introduced in March 2020. The widespread interest among internet firms to apply for an aggregator licence can also be explained by their intent to convert themselves from merchants to payment processors to ensure reduced friction in payment processing for customers.

“The central bank is firm on its stand to not allow any more extensions as of now as the ecosystem has seen several high-profile breaches, mostly at the end of merchants and unauthorised payment aggregators,” said the chief executive of a payment gateway present at the meeting with RBI representatives earlier this month. This year has seen high-profile cyberattacks such as those on JusPay, Mobikwik, Air India and Upstox.



[ad_2]

CLICK HERE TO APPLY

Leave a comment , , , , , , , , ,