Tag: storage

The Reserve Bank of India (RBI) has rejected a demand by India’s payment gateways for exemptions on select new regulatory norms that are set to prohibit merchants from storing card details and payment operators from offering one-click checkout service to consumers from January 2022, three sources aware of the matter told ET.

The new Payment Aggregator/Payment Gateways (PA/PG) rules will mandate every online merchant processing transactions for customers to only have access to a ‘tokenised’ key linked with the consumer’s cards instead of the entire card file. While authorised card operators will be allowed to store card details for seamless processing of redressals and chargebacks, the new rules will prohibit the usage of this data even by authorised operators for auto checkouts.

This means millions of card holders – both debit and credit – making payments online in 2022 may have to enter their 16-digit card numbers every time they make a payment online as opposed to just authenticating these transactions through the CVV (card verification value) and the one-time password (OTP) as is the current norm.

“The RBI’s new rules have been framed keeping security of the consumers as paramount,” said an industry official aware of the matter. “The current system, while seamless, is prone to breaches and cyber risks as customer card details are being stored in the servers of merchants not directly under the supervisory purview of the central bank.”

The Payments Council of India (PCI) lobby group has suggested alternative solutions beyond encryption through tokenisation–such as secure reference on file–to minimise customer inconvenience. They argue that as licensed aggregators are storing card data on isolated servers for chargeback references, these may be used for allowing one-click checkouts subject to consumer consent.

PCI has also sought a further extension of the deadline for compliance in its letter to the RBI.

“To allow regulated entities to develop and implement solutions that meet the criteria, as well as to ensure consumers are informed, we request sufficient time to be allowed to ensure the entire card ecosystem is prepared to handle card transactions under new solutions without adverse unintended consequences,” said the letter reviewed by ET.

To be sure, the rules were initially set to be enforced from July 2021. The RBI extended this by six months after the industry lobbied for it.

The RBI didn’t respond to queries.

The gateways say customers will see experience friction in subscription-based services that require storage of card data to bill them on a recurring basis. Without the customer data, merchants will have to ask for the card information in every billing cycle, which will result in business disruption, they say.

“While this directive from the RBI is right in intent, it leads to a blanket prohibition for service provider merchants from storing customers’ financial information, even when the said merchants may have the requisite security norms in place or may intend to have one for the same, thereby affecting smooth flow of online payments,” said Rameesh Kailasam, CEO and president of IndiaTech, an industry grouping of startups.

Earlier in the year, IndiaTech had made representations to both the RBI and the finance ministry to allow merchants with adequate security compliances to handle customer data without encryption to prevent disruption to seamless checkouts. Kailasam said IndiaTech is preparing another representation to reiterate this point to the central bank ahead of the deadline.

“It is important to understand here that from a practicality standpoint, device tokenisation may not work in all use cases, like subscription businesses and payments that are device agnostic,” he said.

ET reported Thursday that at least 30 firms including Tata Group, Amazon, Zomato and PhonePe have applied for PA/PG authorisation under the new RBI rule, which was formally introduced in March 2020. The widespread interest among internet firms to apply for an aggregator licence can also be explained by their intent to convert themselves from merchants to payment processors to ensure reduced friction in payment processing for customers.

“The central bank is firm on its stand to not allow any more extensions as of now as the ecosystem has seen several high-profile breaches, mostly at the end of merchants and unauthorised payment aggregators,” said the chief executive of a payment gateway present at the meeting with RBI representatives earlier this month. This year has seen high-profile cyberattacks such as those on JusPay, Mobikwik, Air India and Upstox.