2 min read.Updated: 24 Dec 2021, 12:00 AM ISTARTI SINGH
New guidelines issued by the Reserve Bank of India (RBI) banning the storage of customer card numbers by online merchants and payment aggregators was scheduled to come into effect on 1 January, but has now been extended by six months. Mint examines the reasons.
What is all the fuss about tokenization?
India’s central bank wants to ensure that consumers are protected from fraud. It therefore came up with the concept of ‘tokenization’—a process of replacing actual card details with a unique alternate code called the token. RBI has made card-on-file (CoF) tokenization mandatory from 1 July 2022. CoF refers to card information saved by payment gateways and merchants to complete future purchases. Going ahead, only card networks and card-issuing banks will have access to and can store any card data. The first circular came out in January 2019 but went through tweaks and deadline extensions.
How are transactions processed today?
There are four-five players involved in processing one card transaction today—the merchant, the payment aggregator, the issuing bank, and the card network. Currently, when a transaction happens on a merchant platform, the data is sent to the payment aggregator (PA). The PA next sends the details to either the issuing bank or the card network. Then issuing bank sends an OTP and the transaction flows back. The number on which the transaction is built is the CoF. Now, since the CoF will be replaced with a token, an end-to-end rewiring of the processing leg is required.
Is the industry ready to implement this?
Not fully, which is why the RBI had to extend the deadline. The industry currently can convert CoF into a tokenized number. However, the readiness to process the token is negligible. About 90% of banks are ready with provisioning of token on Visa. Only 25-30% banks are ready on Mastercard. Amex and Diner’s Club aren’t ready with a solution for India yet.
What business models can get impacted?
If the industry isn’t ready, several business models would be impacted. E-mandates (recurring payments) will stand ineffective from 1 July. Card EMIs account for 25% of online e-commerce sales. That option will no longer be available. Cashbacks/discount offers by banks will be impacted, too. A user may not be able to use Mastercard saved cards on a merchant platform to make a transaction, and will have to enter the card details every time a transaction is made. This could be the same for some Visa cards.
Integration of systems and the ability to process is one part. The industry also needs to test the performance and success rate of the tokenization solution. Stakeholders had therefore made several representations to the RBI, seeking an extension of the deadline. Even banks wanted the deadline to be extended—they understood that the new system is a much bigger disruption to the way digital payments will henceforth be processed. RBI, on its part, realized how horribly underprepared the industry was.
Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.
Never miss a story! Stay connected and informed with Mint.
our App Now!!