Central bank’s no-card-storage rule can severely disrupt digital payments in 2022

Authors: Rohit Kumar & Deepro Guha
Published: December 23, 2021 in the Times of India

In March 2020, the Reserve Bank of India (RBI) issued guidelines that prohibit merchants (including all e-commerce websites, streaming platforms) and payment aggregators (such as Razorpay and Instamojo) from storing customer card information. The aim of this measure is to increase security of stored card details while reducing the risk of data breaches. Globally, and even in India, there have been several instances of financial data leaks over the last few years. With digital transitions increasing manifold, the likely consequences of a data leak – both financial as well as in terms of trust – can be very real and damaging. Taking cognizance of this issue, the RBI has been progressively tightening regulations to ensure financial data security while also limiting the number of actors who can store sensitive data.

The no-card-storage norms are scheduled to come into effect on 1st January 2022. But even though the first notification was issued early last year, it was only in September 2021 that a reasonably effective alternative to the current system – Card-on-file Tokenization (CoFT) – was permitted, giving the players in the digital payments ecosystem just a little over three months to adapt.

Card-on-File-Tokenization is the process of de-identifying sensitive cardholder data by replacing the actual card details with an alternative code called the “token”, which is unique for every combination of card and merchant. While seemingly ‘simple’, this tweak requires an ecosystem-wide change in tech systems and workflows, with sequential compliance from the many entities in the digital payments transaction chain.

Therefore, even as RBI’s move is well-intentioned, a hurried transition can end up disrupting payment systems in India, adversely affecting both customers as well as merchants. The impact of this measure is likely to be most acutely felt by Indian start-ups and small businesses which may not be well equipped to transition to the new system in a short period of time.

Latest information suggests that at this time not all banks and card networks are implementation ready, and it is only post their operational readiness, that merchants will receive the relevant APIs to build, test and integrate a consumer-ready tokenization solution. It also seems that card networks are still evolving their processes around use cases like EMIs and recurring payments for transactions based on tokens. As a result, the operational readiness of the ecosystem remains uncertain.

If merchants and payment aggregators purge card data and transition to the new system before the ecosystem is ready, consumers would be forced to manually input card details for every transaction. This would make digital payments tedious and could lead to a scenario where the less technologically savvy customers go back to using cash, thus reversing the hard-earned digital adoption gains that India has made over the last few years. Additionally, the need to repeatedly input card details for every transaction could potentially make consumers more vulnerable to phishing attacks, thus increasing consumer risk rather than reducing it as was intended by the regulations.

A hurried implementation could also disproportionately hurt India’s small businesses and start-ups which leverage the digital payments ecosystem to retain and grow their customer base. What is making businesses especially worried and skeptical is their experience with RBI’s e-mandate regulations which kicked into effect on 1st October 2021. At the time, many consumers and merchants complained of widespread payment failures in the ecosystem, with smaller merchants reportedly losing up to 70% of their monthly revenues in the period immediately following the implementation.

Moreover, purging of all existing card data without an effective system in place to replace it could also render the merchants unable to support customers with subscriptions, refunds, cancellations, and other customer service requirements while reducing their ability to mitigate frauds during the transition period.

Taking cognizance of the above concerns, RBI should undertake a thorough assessment of the ecosystem’s readiness before enforcing the guidelines. Ideally, the implementation of the guidelines should be undertaken in a phased manner with current deadlines being reconsidered (with card networks and banks being mandated to set up their infrastructure first, followed by merchants). If possible, during the transition period, both the current system of card storage and the new tokenization alternative should be allowed to co-exist to make the switch seamless. This has been done previously in Europe with the implementation of the revised Payment Services Directive (PSD2). In the case of the PSD2 norms, the European Commission also set up several working groups (including one on APIs) with participation from all major payments ecosystem stakeholders, to ensure coordination on key aspects of the transition. It even worked closely with the industry to adopt standards that would be acceptable to a majority of the stakeholders, while acknowledging the complexity of the payments markets and retaining flexibility to avoid unintended negative consequences.

Similar measures by the RBI to ensure coordination between banks, card networks, payments aggregators, payments gateways and merchants in the Indian context would ameliorate the many risks posed by a hurried implementation of the guidelines. Otherwise, without adequate safeguards, a rush to enforce the guidelines may bring India’s payments ecosystem to a standstill in the new year.