The tokenisation regime will affect all businesses that accept cards

The tokenisation regime will affect all businesses that accept cards



Authors: Rohit Kumar and Aishwarya Viswanathan
Published: June 08, 2022 in the Economic Times. RBI has since postponed the deadline to 1st October, 2022.

The payments ecosystem in India is in for a stir. Reserve Bank of India’s no-card-storage directive initiated in March 2020 is set to kick-in from July 1st, 2022. Starting July, both authorised payment aggregators and merchants will not be allowed to store customer card credentials. Instead, transactions will have to be processed through a card ‘token’ – an alphanumeric code unique to every combination of card and merchant.

Industry insiders largely believe that this move to tokenise is well-intentioned. With access to sensitive card information restricted to fewer players in the ecosystem, the likelihood of a data breach is reduced. However, with less than four weeks left for implementation, many maintain that the transition is unlikely to be seamless and will adversely affect both customer experience as well as payment completion rates.

Note: TQH undertook a range of work on ecosystem readiness for tokenisation, including representations to the RBI, panel discussions, technical explainers and opinion pieces. Please scroll down for the links to these pieces.

The payments ecosystem requires sequential interaction between players (merchants, payment aggregators and gateways, card networks, banks) for smooth end-to-end transaction processing. For the tokenisation regime to take shape, it will require the ecosystem as a whole to demonstrate a certain degree of ‘readiness’. As per industry body NASSCOM, this would mean banks managing at least 80% of the cards in circulation to have tokenisation solutions, with stable APIs made available for merchants to integrate with their backend systems. Other bodies such as the Merchant Risk Council add that ‘readiness’ should also mean the ability to simultaneously create and process tokens, while being able to do so at high volumes and across use-cases, especially on days that see heavy traffic such as during e-commerce sales.

Voluntary disclosure on readiness, but hard to verify

So far, a few major card networks, some banks and payment aggregators have stated that they are ready with tokenisation solutions. Some have also indicated that compared to 6 months ago, their systems are much better equipped to handle token provisioning and processing. But while such disclosure by key players is welcome, available information still remains fragmented and superficial; it is also hard to verify. This coupled with the lack of any official information being made available by the RBI is creating a trust-deficit in the ecosystem at large, and more ominously between co-dependent players.

For instance, it is still not clear if the ecosystem is ready to use tokenised transactions for use-cases such as promotional offers and cashbacks. Merchants are also unsure if they’ll be able to process refunds for customers who choose to make online purchases as guests on a website i.e., without saving card details. Since acquiring banks will not be allowed to store customer card data starting July 1st, they may have no means to track transactions to fulfil refund requests in case of guest checkouts.

The anxiety being caused by this information asymmetry is being further aggravated by the ecosystem’s recent experience with RBI’s e-mandate on recurring payments. A media report published in May this year, after 7 months of the e-mandate regulations coming into force, highlighted that success rates for recurring transactions vary between 30-75% and the experience has been extremely damaging for smaller businesses. An important use case that has still not been solved for is international payments; many foreign developers who sell software subscriptions over the internet have found RBI’s compliance requirements cumbersome and have altogether suspended payments from Indian cards.

Unintended consequences

In this regard, it may be worth noting that the tokenisation regime will affect all businesses that accept cards, unlike the e-mandate which was only applicable to those offering subscriptions. Given that we are still seeing disruptions 7-8 months after the e-mandate kicked in, the disruption post-tokenisation may be significantly more widespread than what was previously experienced.

As the deadline approaches, players in the payments ecosystem are finding other ways to cope with the uncertainty. Some are taking pre-emptive steps to avoid disruption and circumvent compliance requirements. For instance – in a first, Apple said that they will stop accepting debit and credit card payments for both app purchases and subscriptions in India, as well as for payments on ad campaigns – a matter of concern for many small businesses who leverage credit to smoothen cash flows and ensure continuity of operations.

At a time when post-pandemic economic activity is slowly picking up pace, the RBI must recognise that forcing compliance in this manner is likely to disincentivise credit usage – a move that could have broader adversarial effects on the economy as a whole.

RBI should demonstrate readiness

The idea of pushing hard for compliance and hoping that the ecosystem will fall in line may not be the best approach to adopt at this time. The RBI needs to demonstrate that the ecosystem is confident of transacting at scale, and across use-cases. As a first step, the central bank must clarify what it considers to be ‘readiness’, and then proactively seek information from ecosystem players to demonstrate the same. Additionally, it must also consider introducing some flexibility in the transition period – perhaps by allowing acquiring banks to store card data till the system stabilizes. This will go a long way in reducing anxiety and ensuring a smooth transition. Moreover, it will guard against other inadvertent consequences for the economy that might stem from impulsive actions by ecosystem players – all of whom are in a haste to comply, no matter the cost.

Related pieces of work

Evaluating Ecosystem Readiness: RBI’s No-Card-Storage Mandate [Medianama, 15 Jun, 2022]

Technical Explainer on Ecosystem Readiness [The Print, 16 Jun, 2022]

Will India Pay for RBI’s hurry [Times of India, 23 Dec, 2021]

Experts weigh in on how RBI’s new digital payment guidelines can impact small businesses [YourStory, 09 Dec, 2021]