As the deadline for complying with Reserve Bank of India’s (RBI) directive mandating card-on-file tokenisation (CoFT) for merchants inches closer, industry experts share a mixed reaction to the readiness of the ecosystem.
In March 2020, The RBI had put forth new rules for tokenisation of card data to make online transactions made using debit and credit cards more secure. The directive prohibits all merchants (e-commerce platforms) and Payment Aggregators (PAs)/Payment Gateways (PGs) from saving customer’s card details (number, expiry date or CVV) on their servers. It instead calls for them to be replaced with an alternate unique number called ‘token’ (process known as tokenisation).
This calls for the five stakeholders, including card companies (like Visa, Mastercard, Rupay), banks, PAs, PGs and merchants to set up the necessary infrastructure and revamp their systems, the deadline for which is September 30, 2022.
The initial deadline to comply with the same was December 31, 2021, which was later extended to June 31, 2022 and further September, due to the unpreparedness of India’s payments system.
While most of the infrastructure seems to be in place now, there are still some hiccups and confusions that, as experts note, could possibly lead to system slowdowns, failures and in some cases, fall in revenues for merchants.
Hiccups surface
While almost all big merchants/platforms seem to have their house in order, the same can’t be said for small merchants. While larger merchants are able to maintain their own payment infrastructure, smaller merchants who are are limited by lack of resources and rely on PAs and PGs for the same, are yet to begin testing.
“Some merchants are yet to be given access even to beta versions of token flows developed by PA/PGs, and therefore, they have not been able to begin any meaningful testing of token solutions for their customers. For such merchants, migration of existing customers to new systems is yet to take place as well,” experts from Nasscom and Merchant Payments Alliance of India (MPAI) say.
While pilots for most of the merchants might be ready, the beta version testing takes some time, roughly 3 months, so implementing these features would require a little more time. Rolling them out further would require more time.
“In terms of one-time processing of payments through pre-provisioned tokens, the success range is between 60-65%. Per our understanding, transactions typically fail due to optimisation issues at the PA/PG’s end,” they add.
The industry bodies have submitted a joint paper to the RBI, highlighting some of the key challenges. and requested appropriate action. According to a payment industry expert, roughly 70% of the system of the big merchants is ready but smaller ones are still at 40%.
In the run up to the deadline, it is possible that the issue of regular payments system failing may come together, he adds.
Problem of ‘synchronization’ among stakeholders
While experts are optimistic about stakeholders having basic tokenisation in place in their respective systems, the outcome may not be as “seamless” as expected by September, despite multiple extensions on the deadline.
“There is a problem of synchronisation among the said five stakeholders as there are several use cases attached to the flow of money, say for instance cashbacks, refunds, etc. It’s an interconnected system. So a merchant might be ready to handle 4 use cases while the PA/PG may be prepared just for 2, a bank for another 3 and so on. The ecosystem has to be prepared for all the use cases and that harmonisation is yet to come in,” says Shaksham Malik, Programme Manager at Delhi-based think tank, The Dialogue.
Limited clarity on recurring payments, still
If there is one chief concern with tokenisation, it is with regards to recurring payments also known as autopay. Experts from Nasscom and MPAI note that merchants, who have been able to test, still have limited visibility on the efficacy of recurring payments as compared to other regular payment flows.
“At the merchant’s end, access to bank identification numbers (BINs) from card networks is necessary to map mandate IDs and process recurring payments. Progress on this front is also limited,” they add.
Rohit Kumar, Founding Partner, The Quantum Hub (TQH), a public policy consulting firm, explains that currently stakeholders seem to be more focused on building the base use-case of payments. Once this is solved, they will work on more complicated problems such as recurring payments.
“This will definitely cause inconvenience to customers. There could be a drop in revenues for merchants, as people would have to enter their card details again and again (recurring payments). When a customer faces friction, it usually causes a drop-off and that affects revenue for merchants,” he says.
The problem is not limited to just domestic merchants. Some international merchants will also have to revamp their systems in order to adhere to the new guidelines. The smaller of these merchants may not prioritise compliance if it takes too much time or effort, unless large revenues are at stake. Consumers who use their services are likely to be affected.
“This is again probably not seen as requiring urgent attention, and may be solved for at a later time,” adds Rohit.
Should there be an extension?
It is likely that an extension could help, but it must be aided by a detailed assessment by the RBI and followed with remedies, experts hold. “
Retreating that the system is somewhat ready as compared to what it was a few months back, there are certain issues that RBI must gauge to avoid any kind of disruption and have a smooth flow of processes.
“A phased implementation may help. We need to address why pilots are taking time, why beta testing has not been done. Now infrastructure is ready but problems are at a more nuanced level. Just a plain extension would be of no use,” says Shaksham.
Rohit suggests that RBI could release some numbers/data around tokenisation to reflect how the system is progressing, in order to instill some confidence about the readiness of the whole system.
“There is no clarity as to where everyone (stakeholders) stands in terms of preparedness. RBI is the only one which has the information and data. Unless they release information, it would continue to be a guessing game till then,” he adds.
Nasscom and MPAI have recommended to the RBI that it mandate card networks and PA/PGs to share a status report to demonstrate their readiness to fulfil tokenised transactions across all use cases; and take appropriate actions around issues related to recurring payments before requiring the ecosystem to action the no-card storage rule.
Vishwas Patel, Chairman, Payment Council of India (PCI) and Executive Director, Infibeam Avenues Ltd, says that most merchants and PAs are ready with card tokenisation but the stakeholders are “still awaiting clarity on a few points from RBI, and hopefully, they will be addressed soon before the deadline”.
While Infibeam Avenues has enabled almost 60 lakh merchants with card-on-file tokenisation, Mastercard has touched over 2 lakh merchants. Pure play credit card company, SBI Cards and Payment Services claimed that it is ready with all networks (Visa, Mastercard and RuPay) to move towards card tokenisation, a spokesperson told PTI.