RBI’s Card Tokenization Mandate – A Bridge Too Far?
Over the past decade India’s vibrant payment ecosystem has grown by leaps and bounds. The surge of online platforms (e-commerce, OTT, etc.) coupled with ‘hassle-free’ payment channels (i.e., digital wallets, UPI, credit cards, etc.) has pushed the Indian user to transition to online payments in everyday life.
For the first half of the last decade, the Reserve Bank of India (“RBI”) was largely a silent spectator, monitoring the growth yet not strictly tethering innovations and practices adopted in this space. As the volume of digital transactions kept increasing, however, so did the level of fraud and illegal behaviour. Consequently, the RBI has in recent years sought to implement changes to curb payment fraud, including introducing payment data localisation, prescribing norms for undertaking recurring payments on online platforms, guidelines to regulate payment aggregators and payment gateways, etc. These changes denote the RBI’s intent on regulating digital payments and securing end-user interests.
Most recently, the RBI introduced requirements for deletion of credit card data by entities in the transaction chain, and transitioning to tokenisation of card details with effect from January 1, 2022. This has caused some stir in the payment processing ecosystem, to say the least! An outcry from the payments industry has now led to this deadline being extended by six (6) months to June 2022; but will that prove enough for the industry to comply?
We examine this development and its likely impact.
The story so far…
This chain of events started on January 08, 2019, when the RBI permitted card tokenisation by card networks (e.g., Visa, Mastercard, etc.) for any token requestor (“2019 Circular”). Tokenisation involves replacing actual card details with a ‘token’ (i.e., a number which is the combination of elements involved in tokenisation (such as device ID, token requestor ID and merchant). This facility was to be made available for mobile phone and tablets of interested card holders. Subsequently, in August 2021, the facility was also extended to laptops, computers, and wearable devices (such as smart watches, bands, etc.).
The RBI’s intention here was to protect credit card data; this can be traced to the Guidelines on Regulation of Payment Aggregators (“PAs”) and Payment Gateways (“PGs”) dated March 17, 2020 (“PA PG Guidelines”). An increasing number of transaction frauds and data breaches were linked to data stored with merchants and PAs. These guidelines required PAs and merchants to cease storage of card data of end-users. This move also lessened the convenience of card transactions, as each user would have to add their card credentials prior to each transaction. The RBI remained firm and issued a clarification on September 17, 2020, where it reiterated that merchants and PAs cannot store card data, irrespective of compliance with the Payment Card Industry Data Security Standard (PCI-DSS). On March 31, 2021, the RBI extended a timeline of 6 months (i.e., till December 31, 2021) for non-bank PAs to achieve compliance with the card storage restrictions and implement workable solutions such as tokenisation.
Subsequently, on September 07, 2021, the RBI issued a circular permitting ‘Card on File – Tokenisation Services’ (“2021 Circular”). Under the 2021 Circular -
No entity in the card transaction/payment chain (apart from card network and issuers) can store actual card data henceforth. Any card data currently stored is to be deleted by January 01, 2022 (now updated to June 30, 2022 – see below).
Only the last 4 digits of the card number and card issuer’s name may be saved for the limited purpose of transaction tracking / or reconciliation purposes.
Industry copes with looming deadline
Tokenisation is a global best practice aimed at preventing visibility of card details to any entity apart from the card holder and card network/issuer, and the 2019 Circular was welcomed by some industry stakeholders as a measure in the interest of security. However, its sequel, the 2021 Circular, has not been received as graciously! Although the 2021 Circular allows card issuers to undertake tokenisation (in addition to the card networks), industry stakeholders have been troubled by its (comparatively) vague pronouncements.
The anxiety felt by some merchants and stakeholders was, in part, due to the short September to December 2021 deadline, and lack of clarity on some operational issues. The foremost concern was industry unreadiness for implementing tokenisation related infrastructures. A single entity’s readiness matters little when most (all) stakeholders in the transaction chain (issuers, acquirer banks, etc.) need to introduce technological infrastructure for meeting the requirements of proposed tokenisation.
For instance, merchants have to develop options to allow end-users to de-register the tokens, card issuers have to develop facilities that enable end-users to view the list of merchants that they have registered a token with, and in parallel token service providers have to install mechanisms to ensure origination of a transaction request is from a merchant and a token requestor with whom such token is associated. In many instances, this may require a ground-up redesign of current technology and product offering in the payment industry.
To address these concerns, industry bodies (such as NASSCOM, Indian Banks Association) and various players made representations to the RBI, requesting for the compliance deadline to be extended or to allow for a phased timelines to achieve compliance. Clarity has also been sought on the applicability of the 2021 Circular to international payments, its impact on system participants not directly involved in processing transactions (e.g., payment technology providers), and storage of the first 6 digits of the card number (as they correspond to the card issuer name).
In response to these representations, on Thursday, December 23, 2021, the RBI announced that the deadline for purging Card on File data has been extended by six months, until June 30, 2022 ("Extension Notification”).
The RBI has also advised industry stakeholders to devise alternate mechanisms to handle recurring e-mandates, EMIs, etc., and post transaction activity (e.g., dispute resolution, chargebacks, etc.) that involves/ requires storage of card-on-file data by entities other than card issuers and networks.
What happens next?
While the Extension Notification provides stakeholders some respite, no other changes or clarifications have been made/ provided regarding the applicability of the 2021 Circular or its data storage requirements. The same obligations apply, albeit with six (6) more months to figure them out.
Lacking clarifications from the RBI, payment system players will have to continue making best efforts to comply. Some merchants appear to be experimenting with alternatives, such as pooling payments in advance, so as to not inconvenience their customers by having them re-enter card details for each transaction. But either way, there remains the possibility of users being turned off by the new measures.
The issues faced by the industry due to payment data localization and the e-mandate system for recurring transactions is fresh in memory; it remains to be seen whether stakeholders can now ride out the impending wave of tokenisation, even if they now have some more time to do so.
https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12159&Mode=0 – Condition No.3 and 6 , Annex
https://indianexpress.com/article/business/economy/rbi-tokenisation-deadline-merchants-7686073/ ; https://economictimes.indiatimes.com/tech/technology/tech-companies-want-two-more-years-for-tokenisation/articleshow/88399160.cms