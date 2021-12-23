Bengaluru: Merchants are grappling with major technology integration challenges as they scramble to comply with the Reserve Bank of India’s (RBI’s) mandate to purge saved credit and debit card data from their systems by 31 December.

In March 2020, RBI said merchants will not be allowed to save card information. This September, though, it issued fresh guidelines, giving companies time until the end of the year to comply with the regulations, but offering them the option to tokenize the cards, enabling an additional layer of security for payments.

Tokenization refers to replacing card details such as the card number, expiry date and CVV with a unique code called a “token". From 1 January, users will also need to give merchants their consent with an additional factor of authentication (AFA) for their first transaction, following which they can complete the payment by keying in the card’s CVV and OTP.

This, however, is easier said than done since AFA requires banks to obtain additional authentication from customers during registration and first payment, with relaxation for subsequent payments up to certain limits.

A tech implementation such as this, which requires a change in the system, can be considered successful only if it is capable of handling large volumes of transactions, experts and bankers said. That scale will not be achieved unless all parties involved are ready to switch.

To begin with, the application program interfaces (APIs) need to be ready. APIs allow software and services to interact with each other and are often used to verify information, and pull data from databases.

“The APIs have to be ready at the card issuer (banks), card networks (Visa, Mastercard, RuPay), and correspond with the merchant’s network. This is easier said than done (in a short time)," said Sijo Kuruvilla George, executive director, Alliance of Digital India Foundation, an industry body representing startups in India. “It needs time for full-blown integration and implementation," he added.

Second, the card-on-file (CoF) data, which needs to be deleted, is not stored in a single database, “and there are steps, like security and redundancy built in to make it error-free", according to Kuruvilla. He added that integration will only be possible after the bank APIs are made available. “The robustness of API documentation is the basis on which the integration works," he explained.

Third, banks are at different levels of maturity, given that the system overhaul started sometime in September. “[The] technology is foolproof, but the challenge is that all of a sudden, everybody wants to do everything at the same time," said Prasanna Lohar, vice president, technology (digital, innovation & architecture) at DCB Bank, explaining that all the banks are asking for tokenization solutions from vendors at the same time, while solution providers have limited bandwidth. “Also, the certification process with card networks would take its own time," he added.

Fourth, solutions providers are engaging with different banks to offer solutions as per their preparedness, experts pointed out. That said, while solution providers have started announcing tokenization solutions in the last two months, they will take time to reach a level of stability. Some are still in the process of introducing solutions such as that from payments solutions provider Cashfree Payments, which announced its tokenization solution called Token Vault that will go live on 27 December.

“The technology has been there for some time, (and) different banks are at different stages, (but we) can’t really say that every bank is ready. But there is a reasonably good mix at this time. The larger organizations have obviously made more progress as they have been planning for this, and working with networks to establish readiness," said Harish Prasad, head of banking at fintech firm FIS. “The main areas where banks need to establish readiness is around AFA for customer consent, and tokenization request approvals mandated for issuers," he added.

Subscribe to Mint Newsletters * Enter a valid email * Thank you for subscribing to our newsletter.