GS-2: Statutory, regulatory and various quasi-judicial bodies.
GS-2: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.
GS-3: Indian Economy & its challenges
Tokenisation and RBI guidelines
Context: The Reserve Bank of India has extended the implementation date of card-on-file (CoF) tokenisation norms by six months to June 30, 2022.
While most of the leading banks including SBI, HDFC Bank and ICICI Bank are ready for the switchover, other stakeholders — mostly merchants — argue that the systems at their backend are not yet ready to adopt the new regime and had sought further time in putting new norms into effect.
While extending the guideline, the RBI said that in addition to tokenisation the “industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/ loyalty programme, etc.) that currently involves/requires storage of CoF data by entities other than card issuers and card networks.
What is tokenisation and why has RBI issued new guidelines?
In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. It applies to domestic, online purchases.
Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the “token”, which will be unique for a combination of card, token requestor and device.
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
Customers who do not have the tokenisation facility will have to key in their name, 16-digit card number, expiry date and CVV each time they order something online. This could be cumbersome exercise and may impact transaction value, especially when done through stored cards.
In case of multiple cards, each will have to be tokenised.
What is the size of the industry and the impact of new guidelines?
India has an estimated 100 crore debit and credit cards, which are used for about 1.5 crore daily transactions worth Rs 4000 crore.
The value of the Indian digital payments industry in 2020-21, as per RBI’s annual report, was Rs 14,14,85,173 crore.
Digital payments have triggered and sustained economic growth, especially through the trying times of the pandemic. While RBI’s intent is to protect consumer interest, the challenge on ground pertains to implementation.
Online merchants can lose up to 20-40% of their revenues post 31 December due to tokenisation norms, and for many of them, especially smaller ones, this would sound the death knell, causing them to shut shop.
What’s the consumer impact?
An estimated 5 million customers, who have stored their card details for online transactions on various platforms, could be impacted if the online players and merchants are not able to implement the changes at their backend.
E-commerce platforms, online service providers and small merchants could be especially hit.
Equated monthly instalments and subscription-based transactions that are paid through stored cards will also have to adhere to new rules.
Now, with the latest extension, the RBI expects the systems to be ready for seamless launch in six months.
While 90 per cent of banks are ready for tokens on the Visa platform, Mastercard is yet to catch up. The RBI had banned Mastercard from issuing any new cards on July 14 this year for not complying with data localisation requirements.
Even as CoF conversion to a tokenised number is being done, the system is not geared up for processing the tokens as merchants are not ready at their end.
Why did the stakeholders want an extension?
Digital payment firms and merchant bodies had sought urgent intervention of the RBI to extend the deadline for implementation of the new credit and debit card data storage norms, or card-on-file tokenisation (CoF).
They wrote to the central bank that if implemented in the present state of readiness, the new mandate could cause major disruptions and loss of revenue, especially for merchants.
Industry sources argue that all stakeholders – banks, card schemes, aggregators, gateways, processors, merchants, consumers and the regulator – in effect have to come together for successful implementation of the norms, which requires time and preparation.
Specifically, the RBI policy change affects three major players: banks, intermediary payment systems and merchants. Stakeholders sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and payment aggregators/payment gateways.
What is the preparedness of the banks?
While most of the leading banks including SBI, HDFC Bank and ICICI Bank are ready for the switchover, other stakeholders — mostly merchants — argue that the systems at their backend are not yet ready to adopt the new regime and had sought further time in putting new norms into effect.
While extending the guideline, the RBI said that in addition to tokenisation the “industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward/ loyalty programme, etc.) that currently involves/requires storage of CoF data by entities other than card issuers and card networks.”
