Home >Opinion >Views >Aim for both convenience and online payment security

The Reserve Bank of India (RBI) recently issued guidelines for payment aggregators (PAs) and payment gateways (PGs) that disallow them from saving your card details. This basically means that the next time you transact online, you will patiently have to go through the process of selecting your card type, keying in your name as on the card, and entering its 16-digit number before you reach the stage where you fill in your CVV and password/OTP to complete a transaction.

Essentially, the ease of making payments seamlessly may soon be a thing of the past, and one may need to brush up one’s memory skills or carry all cards physically in person to be able to effect an anytime, anywhere payment by punching in all the necessary details. This will make the process of paying tougher for the consumer each time s/he hails a cab ride, orders food online, books an airline ticket, reserves a hotel room or places an order on an e-commerce platform.

While the intent of RBI’s new guidelines is to strengthen customer safety and transaction security, in the wake of increasing cases of hacking and online fraud, the convenience of online payments could become a casualty. Consumers will now be forced to carry their cards around, which increases the risk of offline theft. The pandemic and lockdown saw many senior citizens in urban areas survive by getting onto the internet bandwagon to order their necessities. Ease of payments was a big draw at the time, with all the required card data fields, once given to a platform, already available with it for future transactions—except those that needed two-factor authentication for the successful conclusion of a deal.

Lately, India has seen a boom in online transactions, which grew an estimated 80% in 2020 over 2019, supporting the government’s efforts to reduce the use of cash.

However, the new RBI guidelines seem to demonstrate a self-defeating potential when it comes to encouraging online payments. The convenience offered by these cannot be underestimated. By virtue of a few simple clicks, they have enabled us to undertake multiple activities that otherwise would not have been possible without stepping outdoor, from paying utility bills (electricity, telecom services, etc.) and getting various subscriptions to ordering all manner of home deliveries. While the new guidelines will kick in only this July, businesses that rely on online payments, including large numbers in the start-up world, are understandably worried. A switch will not only bring down transactional efficiency and convenience, but also grant an unfair advantage to e-commerce operators that are based overseas, as they may continue to store card data on foreign servers and effect transactions with ease. As it is, foreign websites need no OTP to charge Indian cards.

While the government and Indian regulators do not want Digital India to become a soft target for cybercriminals, and are looking at ways and means to enhance customer safety, measures like these may not be an ideal solution, as it would put the entire online ecosystem under stress.

The guidelines regulate all activities of PAs and PGs, and also provide recommendations on baseline technologies for them. There are a slew of regulatory requirements, including but not limited to requirements of governance, RBI authorization of non-bank PAs, criteria for merchant on-boarding, capital cushions for existing as well as new PAs, and redressal mechanisms for consumer grievances.

Currently, customers do have safeguards. Two-factor authentication, for example, is a mechanism that was put in place with the very intent of ensuring transactional security, backed by customer consent before his or her card details are saved. However, under Section 7.4 of the new guidelines, payment gateways and aggregators will no longer be allowed to store such card details.

The guidelines place responsibility on PAs to check the Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the systems used by on-boarded merchants. PAs are further required to incorporate provisions for data privacy and security in their agreements with merchants. These pacts will also have to include a PA-DSS-compliance clause and impose incident-reporting obligations.

With most of us already struggling to memorize multiple passwords and PINs for various platforms, expecting us to have all card details at the tip of our fingers is asking for too much. The inconvenience caused would be very high. From a commercial perspective, it would have a major impact on the overall payment ecosystem, which has thrived on the promise of a smooth customer experience as an attraction. The frequency of repeat purchases is likely to fall, and there will be a fallout on auto-renewable online subscriptions, recurring payments, and, most importantly, the issuance of refunds. The overall effect of the guidelines will be to restrict PAs and PGs from offering a full range of services to customers.

While customer safety is of paramount importance, it is crucial that regulations and policies are crafted in a manner that does not lower the ease of operations and jeopardize efficiency. The ideal way out, instead, would be to introduce robust data-security measures and enforce reliable housekeeping mechanisms that keep customers safe.

Priyanka Mathur is senior manager with She writes on policy issues related to Indian internet-based start-ups.

Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.

Never miss a story! Stay connected and informed with Mint. Download our App Now!!

Edit Profile
My ReadsRedeem a Gift CardLogout