Starting July 1, online merchants (like Amazon and Swiggy) and payment aggregators (like Razorpay and BillDesk) will not be allowed to store credit and debit card details of their customers owing to guidelines issued by the Reserve Bank of India (RBI) in March 2020. This means either the customer will have to enter their card details every time they make an online purchase or merchants and payment aggregators adopt an alternative technology that allows them to store tokenised versions of the card details. But, both these options face a mountain of challenges, and as it stands today, any kind of online card transaction is most likely to fail once the new regulation kicks in next month.
“The biggest issue is uncertainty. There are so many use cases which are still unaddressed. Even the use cases which are addressed do not have parity in terms of performance with the existing payment performance or uptime or the speed of the transactions,” says Vishal Mehta, Chairperson, Governing Council, Merchant Payments Alliance of India (MPAI).
While merchants and payment aggregators are not allowed to store customers’ debit or credit card numbers, RBI in September 2021 issued guidelines to allow them to store token numbers. Tokens will be unique numbers based on a combination of card details, merchant, and device. For example, your Visa HDFC card will have token A on Flipkart and the same card will have token B on Amazon, the same card will have token C on PVR. The reason behind this construct is to ensure that even if Flipkart goes through a breach, what they lose is a token that cannot be used on any other website or application. Tokenised transactions involve two steps:
Token generation: The first step is to generate a token for a particular card. Tokens are generated by the card network (Visa, Mastercard, Rupay, American Express). You might have already noticed many apps such as Swiggy and Uber asking you to “secure” your card. What they essentially mean by this is to allow them to generate a token for your card, so that they can purge card details by the end of the month.
Processing transactions using tokens: Once the card is tokenised, the merchant can use this token to carry out the transaction without the customer having to enter their card details every time.
What are the problems with tokenisation?
Many participants in the ecosystem is not ready: “I am entering my card details, on supposing the Swiggy app, then the first step is that my card will be tokenized. The second step is that that token will be used to process my payment and for that processing to happen, what you need are five main entities that must be prepared. One is the card network for creating the token. Then the card issuer, Axis Bank, for example, should be ready with both processing and identifying tokens. The third is the acquirer bank, which is the merchant bank. Then is the payment aggregator or gateway. Fifth is the merchant itself,” Mohit Kalawatia, Senior Associate at Koan Advisory Group, explained to MediaNama. “Not everyone is ready. Token provisioning is a heavy load activity on the network side, which is more straightforward, and that’s why the readiness is higher on that. But processing on the token is an issuer side activity, so that is taking a lot of time. So if any issuer is not ready with tokenisation end-to-end. Then all the transactions of that issuer are going to fail,” Vishal Mehta explained.
Processing transactions using tokens is still in testing: “They’re still testing whether processing can happen at the same level as your normal card detail processing. Simultaneous processing, wherein your token is generated plus processing in the same session, is also still in testing. No one knows whether we’ll be able to do both of these at scale,” Kalawatia said.
Token transactions are too slow: “When a token gets created, the transaction needs to go through in that same 30 to 45 seconds time, which is the amount of time it typically takes for one to complete an online transaction. After that, the transaction times out. What we are seeing is that simultaneous token provisioning and transaction processing is taking much more time than that, which means the session is going to time out, the transaction will not go through,” an industry source explained to MediaNama.
The number of transactions per second is incredibly low: “Even if you were able to transact, the number of transactions that can go through per second is incredibly low at about eight to ten transactions per second. These numbers might be a bit outdated by now because on a daily basis there is something new that we’re hearing. But the numbers of transactions per second are still incredibly low,” the industry source explained.
No solutions yet for some use cases: “If your card was used fraudulently, you should be able to request a chargeback. If there is a high ticket payment item and you want to convert it into an EMI, you should be able to do it. If you want to get a refund from somewhere, you should be able to get that refund. So these are the three issues that need to be solved in order for the tokenisation solution to work completely for a customer, but tested solutions for these don’t exist,” the source explained.
Information asymmetry: “Initially we were hearing that the existing e-mandates (more on this below) will not be affected, but now we are hearing that there may be an impact. The overall thing is no one knows. There’s a lot of information asymmetry between the players, between the participants in the market,” Kalawatia remarked.
No deadline for people to enable tokenisation: “The deadline is for merchants and aggregators to purge card details. That’s a weird thing. There is no deadline for the entities to ensure that the alternative solution is ready,” Kalawatia said.
How can it be fixed?
Provide a cascaded timeline for implementation: To solve the tokenisation problem, the ecosystem needs time. And it needs not just time, it needs specific timelines for different ecosystem players because the building of the infrastructure is a sequential activity, not a parallel activity. “What is happening is that every extension you see, which has happened on this regulation, the extension is for the whole ecosystem. So those at the top of the ecosystem, the card networks and the issuers see the last date of implementation and they only care about them being ready. They don’t care about the downstream players like the acquirers, the payment aggregators, the payment gateways, and the merchants. So even if there’s a six-month extension, again, it’s going to be the same problem after six months,” Mehta pointed out. “Instead, what RBI should really do is they should say that card networks and issuers your deadline is, let’s say September 30. Payment aggregators, your deadline is December 31. Merchants, your deadline is March 31. So they have to provide cascaded timelines for implementation.”
RBI has to hold hands: “It’s a heavy personal opinion, but also echoed by a lot of merchants, is that whenever or RBI comes up with regulation, they have to hold hands. They cannot just say that ‘hey, this is a regulation, you figure out the solution which applies to this regulation.’ This is not how regulators globally work. The way they work is they bring all the ecosystem players into the picture, they dictate the regulations and then they come up with a standard solution which is applicable throughout,” Mehta said.
More time: “Any sort of changes in infrastructure as to how transactions are processed will take time. And I can take the evidence of how other countries are doing. Australia started exploring tokenisation back in 2016-17 and they’re still evolving and adapting to the new payment processing,” Kalawatia said.
In this option, the customer has to enter their card details every time they want to make a purchase. These card details are not stored by the merchants in any shape or form. While it appears like a straightforward option that should work despite the extra hassle for the customer, that is not the case.
What are the problems with guest checkout?
Acquirer banks cannot store card details: According to RBI’s guidelines card details can only be stored by the card issuers and the card networks. The acquiring bank cannot store the card details. “If a person wants to pay for a MediaNama subscription, for that payment to go through and for MediaNama to receive that money, three parties need access to the card number. One is the card network, so Visa, the second is the issuer bank, HDFC in this example, and the third is MediaNama’s bank, that’s the acquiring bank. Now, based on the way the rules are worded, Visa and HDFC are able to store your card information, but MediaNama’s bank is not able to do it. The acquiring bank has not been permitted. That’s how the systems are built today for guest checkout to go through, the acquiring bank will need the payer’s card information. Said in another way, if the acquiring bank does not have the card information, the payment will fail,” an industry source explained.
Refunds and failed transactions cannot find their way back: Because the acquirer banks cannot store details of the customer, they will not know who to return the money to in case of a failed transaction or refund, Mehta said. So in the off chance, the money gets deducted from your account because the systems aren’t perfect, that money can’t find its way back into your account.
Illogical that acquiring banks are not allowed to store card details: “I don’t understand the logic behind why we are not allowing acquirer banks to store card details. Because acquirer banks are also issuer banks in some capacity. I’m a merchant, suppose I have an ICICI Bank account, but there will be a user who has an ICICI account as well,” Mohit Kalawatia said. “They’re still the same entity, they have the same security practices in place, they have the same banking license in place. So it’s very strange to see this demarcation that the RBI has caused between issuing banks and acquiring banks,” the industry source remarked.
Acquirer banks in the offline world can store card details: “The interesting bit is that it’s not just that acquirers are no longer allowed to store card information. It is acquirers in the online world who can’t store card information. So let’s take H&M as an example. If you go to the H&M website or the app to buy something, H&M’s bank can’t store your card information. But if you go to H&M’s physical store and buy something, H&M’s bank can store your card information. So it’s very confusing as to why the RBI regulation has come about in such a manner that there is this sort of discrimination between the online and the offline world,” the industry source stated. “The acquiring bank now has to be able to distinguish between an online transaction and an offline transaction. If it is an online transaction, it should not be receiving the card number. And if it is receiving the card number, the bank is in breach of the rules,” the source added.
How can it be fixed?
Allow acquirer banks to store card details: Unlike the tokenisation challenge, which is an ecosystem readiness challenge, the guest checkout challenge is a regulatory challenge because the regulation has incorrectly excluded acquirers from the purview of entities that can store your card information. “So RBI should allow acquirer banks to store data because, in case of tokenisation isn’t ready, which appears to be the case, at least guest transaction can go through,” Kalawatia said.
The card storage guidelines are not RBI’s first bad policy. Back in 2018, we got the hurried data localisation norms that had to be clarified in 2019 after multiple concerns were raised by the industry. Mastercard and American Express are still hurting from these norms as they continue to be barred from onboarding new customers.
More recently, RBI’s regulations on recurring transactions went into effect on October 1, 2021, crippling subscription-based businesses from big tech companies like Netflix to non-profits like Internet Freedom Foundation.
We've lost more than half our members due to recurring payment failures.
— Karthik Balakrishnan (@karthikb351) May 19, 2022
427 members in Oct 2021 to 190 at the start of this month.
It's honestly scary how even a little friction in payments causes such a massive impact on our ability to work.https://t.co/FZiTKg8dow
As per this regulation, recurring transactions cannot take place automatically on a set date like they used to. Instead, customers will first need to set up something called an e-mandate for recurring payments. Then, for each recurring transaction above Rs 5,000 (which might soon be increased to Rs. 15,000), users will receive a message from the bank 24 hours before processing the transaction. The user will have to approve the transaction through an annoying and cumbersome multi-step process. For transactions below Rs 5,000, users will still be asked each time if they wish to cancel the upcoming transaction or not.
Indian banks dealing with incoming recurring payments pic.twitter.com/aovKtPtq4F
— Rohin Dharmakumar (@r0h1n) May 1, 2022
While companies are still struggling to comply with the e-mandate regulation, which has been in effect for eight months now, the card storage regulation is expected to kick in and add more worries. Even worse, the card storage regulation is going to be more disruptive than the e-mandate regulation.
“E-mandate was mostly for about 3-5% of Indian card transactions. Card tokenisation affects 100% of all card transactions,” Vishal Mehta said.
The only thing worse for merchants than the new card storage regulation is having to comply with both: the e-mandate regulation and the card storage regulation. All subscription-based services will be subject to this double compliance. “We just heard very bad news today from BillDesk that the e-mandates which have been created on SiHub (a platform that facilitates e-mandates) since October 1, when the previous regulation came in, none of them will be useful. All of them will have to be tokenised because someone went and told the RBI that if only issuers and networks are allowed to store card details then SiHub should also not store card details. Hence all the hard work with which mandates have been created in the last seven months are useless until RBI intervenes and provides some solution there,” Vishal Mehta explained.
“It’s not that you can easily map a token infrastructure to the e-mandate system because the e-mandate system was built on card details. It wasn’t built on tokens because there weren’t any tokens that were in existence. So think about it, that now we have to A) get ready with tokens and then B) build an E-mandate system compliant with tokens,” an industry source said.
The regulation inflicts the most harm on merchants, who sit at the bottom of the sequence and rely entirely on their upstream partners.
“Merchants directly interface with consumers. Any sort of failure, the consumer is going to run after the merchants, they’re not going to card network or bank because merchants are the first point of contact.” – Mohit Kalawatia
Despite being most harmed, merchants do not have anything in their control because they have to wait for others to have the necessary systems in place. In India, most merchants rely on payment aggregators and gateways to carry out transactions rather than build their own systems, Kalawatia said. So these aggregators must be ready and support the merchants. “Everyone has to integrate their APIs (Application Programming Interfaces) with the upstream partner. For instance, the card network provider, they’ll share APIs with issuing banks, issuing banks will then integrate themselves and share APIs with the payment aggregators and gateways, and last are the merchant. And all of them have to do testing on these APIs as well, just to figure out the major challenges and problems they are facing, before releasing the final APIs,” Kalawatia explained. “Merchants today have access only to draft APIs which have revealed high latency (time taken to fulfil one transaction), low throughput (number of transaction requests which can pass through) and limited use case support,” a report by the Merchant Payments Alliance of India (MPAI) stated.
“On potential quantitative impact – to consumers and to the economy – participants at the meeting advised that RBI figures from Q1 2022 indicate the value of customer card transactions online to be worth about INR 2.04 lakh crore, which would mean at least INR 8 – 10 lakh crore over the year. Therefore, in the absence of successful token and non-token-based transactions, the economic impact would be the sum of this amount.” – Merchant Risk Council (MRC) summary of meeting with merchants
“From an RBI perspective, they’ve seen multiple reports of card data leakages and hence they are trying to restrict the number of places where the card details are stored,” Vishal Mehta said. “In their view, the lesser the number of places where the card details are stored, the higher the security, which may not necessarily be accurate as there is no confirmed basis for the same.”
Also, there are no global precedents regarding card storage. “The only global precedent is the PCI DSS standard, which is the Payment Compliance Industry Data Security Standard. Basically, it is a standard defining how the card details should be stored. And the merchants who are PCI DSS compliant, they are certified on a quarterly or annual basis, depending on the country, where they showcase that the card data is stored in a very secure manner,” Mehta explained.
“There are precedents in terms of countries embracing or supporting people to migrate to tokenization, but that is in a non-mandated way. So countries like Australia, card network themselves, in conversation with merchants and all, started processing token-based things,” Mohit Kalawatia said. “No one denies that tokenization is a better solution from a security standpoint because it adds an additional layer given that it’s a token. The idea is that it can’t be easily decrypted or reversible to identify the customer card,” Kalawatia added.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
This article was first published on Medianama. The original article can be found here.