Blog

After the extension of the deadline for card tokenisation by the Reserve Bank of India (RBI) thrice over the last one-and-a-half years, the new rules for the storage of card details will come into effect from October 1. The central bank, in June, gave the payments ecosystem time till September 30 for purging all card-on-file (CoF) data.

Industry stakeholders had requested the central bank to extend the deadlines owing to a lack of infrastructure adoption and the possibility of disruption and inconvenience to cardholders. As such, the extension of three months gave a breather to the industry. 

The card networks (like RuPay, Visa and MasterCard), issuers (banks) and acquirers (merchants) were in different stages of readiness for the new norms in June and needed more time to integrate with one another. However, as the implementation deadline nears, the question is if the payments ecosystem is finally ready for the transition.

Commenting on the readiness now, Fintech Zaggle’s MD and CEO Avinash Godkhindi told Inc42 that a large number of entities have already adopted tokenisation. “Tokenisation will encourage the end consumers to store the payment information without being worried about information misuse. So honestly, most of the major merchants are ready.” 

He added that networks will help smaller merchants adopt tokenisation and that coverage visibility data in terms of users adopting tokenisation is something that only the network will have. 

What Is Card On File Tokenisation Framework?

In January 2019, the central bank released the guidelines for implementing tokenisation for card transactions. The initial deadline for the ecosystem to comply with the guidelines was June 30, 2021.

The process of tokenisation starts from the card networks’ end, where cardholders can request a free 16-digit alphanumeric code called a token to replace their original card number. Customers will need to use this token when making payments at any merchants’ websites.

The process is somewhat similar to how UPI operates via a UPI ID. Like with UPIs, merchants will be allowed to store only this token (in the case of UPI, the UPI ID) data, and will need to purge all existing card data stored on their platforms. If users fail to tokenise their cards, they will have to manually enter every detail (card number, expiry date, account holder name and CVV) on the merchant’s website, which again will be deleted after a single use.

Merchants of several platforms such as Google Play, NPCI and Razorpay have already adopted tokenisation, while PhonePe and PayU have launched tokenisation solutions for online debit and credit card transactions.

The main idea behind tokenisation is to reduce the number of places where a user’s card data is stored. Under the new rules, only the card network, the card issuing bank and the end user will know the actual card details. Merchants (ecommerce sites), payment gateways/payment aggregators (PA/PG; who process online payments) and acquiring banks (the merchant’s bank) will have to use tokenised data. Herein lies the problem, as the latter entities will have to build new infrastructure or modify the existing one to adhere to the new guidelines.

Recurring Mandates Remain A Concern 

Recently, PhonePe announced that 80% of its monthly active users have tokenised their cards. On a positive note, it claimed that the success rate of tokenised transactions showed an improvement of about 2% in comparison with card-based transactions over the past few weeks.

Rohit Kumar, founding partner of TQH Consulting, told Inc42 that overall, the payments ecosystem seems to be more ready than before for card tokenisation. 

“While we are still seeing some payment failures in test runs, the main concern that remains is recurring payments. Many merchants worry that we’ll see a repeat of the October 2021 e-mandate – recurring payments will fail and customers will have to re-enter their card details every month. Not only will this lead to inconvenience for customers, it will also hit revenue for merchants,” he said.

He added that the ecosystem lacks authoritative information about how ready the players are, and the RBI should release a status report, if possible.

It must be noted that several subscription-based companies saw a fall in their revenues when the RBI’s new guidelines on recurring payments came into effect last year. In June this year, the central bank hiked the e-mandate limit to INR 15,000 for recurring payments.

Most recently, NASSCOM and the Merchant Payments Alliance of India (MPAI) made a joint submission to the RBI discussing challenges faced by the ecosystem on card tokenisation. 

While several member organisations of the MPAI are now accepting the tokenisation methodology, the industry body’s research revealed that the success rate of mapping card details onto tokens was in the range of 90%-95%.

“We emphasised that (…end consumers) should be able to successfully conduct payment transactions using tokenised card details for the ecosystem to be ‘ready’. However, merchants which rely on payment aggregators/gateways (PA/PGs) are yet to make any meaningful progress on the same,” the MPAI-NASSCOM joint report stated.

Besides, the problem seems to be a tripartite one for recurring payments wherein new mandates will have to be created with mandate IDs and tokens instead of mandate ID and card details, existing e-mandates based on card details will have to be token-based, and auto-debits will have to be enabled for bank accounts based on a combination of mandate ID and token, for which infrastructure is still not full-proof.

Thus, on one hand, merchants are in favour of tokenisation, while on the other hand, there are concerns about infrastructure readiness and the adverse impact tokenisation can have on recurring mandates.