Starting July 1, payment aggregators, gateways, and merchants onboarded by them will not be allowed to store credit and debit card data of customers on their platforms, as directed by the Reserve Bank of India. With a little over a month left, merchants are worried that an alternative system may not be ready in time.
Payment aggregators, payment gateways, and merchants can store card credentials of customers in their databases only until June 30, a deadline that has already been extended twice, most recently by six months on December 23.
In the absence of an alternative mechanism, customers using their credit or debit cards from July 1 will have to enter the details afresh for each transaction, including the 16-digit card number, expiry date, and card verification value (CVV).
Payment companies and card networks like Visa, Mastercard, and RuPay are working to implement the alternative – Card on File Tokenisation (CoFT) – which replaces card details with a ‘token’ that will be unique for every debit or credit card and merchant platform where it is used.
However, the Merchant Payments Alliance of India (MPAI), whose members include digital platforms such as Netflix, Disney+, Hotstar, Spotify, Zoom, Microsoft, and Policybazaar, says the ecosystem is not ready to implement CoFT for all use-cases.
The alliance has reached out to the RBI and highlighted its concern that deleting card data from all platforms in the absence of complete readiness of an alternative may cause disruptions for customers and loss of revenue for merchants.
Apple has already told customers that it will not accept credit and debit card payments in India and has asked them to use net banking, United Payments Interface or their Apple ID balance to pay for subscriptions.
"At this point in time, it will be very hard to usher in a seamless transition to the new regime," said MPAI secretary Vivan Sharan. "While networks are ready with the required infrastructure to create tokens, work is still ongoing to process payments successfully using tokens."
Other processes that are at development or testing stages include the processing of large transaction volumes on tokens and ensuring transactions are processed quickly. There is no clarity on the execution of guest checkouts and how merchants can implement cashbacks and rewards in the absence of card data.
"Currently, e-commerce platforms execute around 900–1,000 transactions per minute," said Mohit Kalwatia, a member of the MPAI Secretariat. "During testing with tokens, merchants have been able to process only two to eight transactions per minute."
The success rate of those two to eight transactions was less than 1 percent, Kalwatia added.
"So, in a real-world scenario, at the current readiness, you will see only 0.05 percent of the 900-1,000 transactions going through," he said.
According to a payments company executive who did not wish to be identified, the card networks are in talks with the RBI for clarification on these fronts.
"For some of the issues, there are solutions, but they all include temporary storage of card data," the executive said. "The card networks are yet to get a response from the RBI on these proposed solutions." What the ecosystem is worried about is that if the card networks come up with an RBI-approved solution very close to the deadline, then it will be very difficult to implement them in time."
Opinions are divided on whether the RBI will consider requests to extend the deadline to purge data again.
"Looking at the readiness, the RBI may extend the deadline again," said former finance secretary Subhash Chandra Garg. "But that is just handling the issue symptomatically. In my opinion, the RBI should rollback these guidelines and simultaneously allow tokenisation to be implemented with more checks and clarity. But eliminating card details will not be in the public interest."
However, the executive said the RBI is unlikely to budge again.
"No discussions of an extension may be entertained by the RBI at this time." The regulator will say that we are still in exactly the same position as six months ago, "the executive said."
This will be the second major disruption in payments, coming after the central bank’s recurring payment norms that led to failed subscriptions and revenue loss for small businesses.
But recurring payments made up only 3 percent of all payments in India. These norms, on the other hand, will have a wider impact, affecting all card payments.
According to Rameesh Kailasam, CEO of IndiaTech.org, which represents tech startups, the larger issue is that customers too are not completely aware of how CoFT will work.
"There is nothing which has been done for customers’ capacity building and handholding. Our request is that the RBI do a status check to see if the market is ready. "Banks and card networks need to be ready for the experience to be frictionless and smooth for the customer," he said.
Once card networks and banks are ready with tokenisation, they will have to share the application programming interface (API) with merchants to enable them to align their own systems.
MPAI’s Sharan said, "When we ask for an extension, we don’t mean to say we don’t want to purge data." We are happy to do that and have lighter servers. For us, it is just a question of implementing this when everything is in place without any setbacks for customers or merchants."