RBI's Card Storage Rules: Are Merchants Better Prepared As Another Deadline Approaches?
With the latest deadline just about a month away, merchants and payments representatives say the system is still far from ready.
For the third time in two years, the Reserve Bank of India will try to get merchant, card companies and banks to implement a new set of rules which restrict the storage of customer card data.
The rules, proposed in 2020, were to be implemented by June 2021 but were delayed first to December 2021 and then to June 30, 2022.
With the latest deadline just about a month away, merchants and payment industry representatives say the system is still far from ready. While some large firms like Apple may have implemented the new system, smaller merchants and their customers will struggle, said representatives of the payment industry that BQ Prime spoke with.
“Unfortunately, with a few weeks left until the data-purging deadline elapses, we observe that requisite backend infrastructure still isn’t ready, said the Merchant Payments Alliance of India, in a note posted on its website.
"While some progress on token generation/issuance has been made, token processing solutions are still at the development/early testing stage,” it said.
According to the MPAI, should the rules get implemented at this stage, merchants of all sizes will face business continuity issues.
As per the new rules, entities other than card issuers and card networks, which store a customer's actual card data, must purge any data stored with them. Instead, the regulator has introduced a system of tokenisation, where tokens can be generated for individual cards and uses. These tokens can then be stored by merchants.
While some steps have been taken to popularise the use of tokens, it is scarcely enough, Vivan Sharan, secretary of MPAI told BQ Prime.
The reality is that the backend infrastructure is not ready to create tokens and process payments on them simultaneously, nor process large transaction volumes on tokens created in real time.Vivan Sharan, Secretary, MPAI
In a May 24 blog posted on its website, the Alliance of Digital India Foundation said that some progress has been made since December when the RBI extended the deadline.
For instance:
Payment aggregators are now offering complete solutions to merchants that would handle the new payments process end-to-end. These would help smaller merchants, who otherwise may not have the capacity to figure out tokenisation solutions by themselves, become a part of the new regime.
Major card networks have also claimed readiness, and have released the APIs to be adopted by banks to integrate these tokenisation solutions into their system.
Still, there is uncertainty over a number of specific points.
“There is uncertainty about how tokenisation solutions would work in certain specific use cases like guest checkouts, EMIs, refunds, etc.," said the ADIF note.
There are also questions about the transaction per second load that can be handled by card networks in the case of tokenisation transactions, the note said.
There is a need for phased implementation of the new mandate to ensure minimal disruption.ADIF Blog Post
In contrast to the stance taken by the payments industry, banks claim they are prepared.
Merchants have to raise the token and banks just have to approve it, said one private sector bank executive, who spoke on the condition of anonymity. We knew we would have to do it someday, so we worked towards it from day one, this banker said.
A second private bank executive said that larger merchants appear to be prepared but smaller ones may face challenges. But, banks are ready. This is a merchant-driven process and banks are just a part of the chain, this banker said.
An email sent to the RBI on Wednesday was not answered.
How Disruptive Will It Be?
The RBI's objective behind the rules has been to secure digital transactions. However, in doing so, is the regulator making digital transactions far tougher?
The payment industry thinks so.
According to the MPAI's blog post, customers would first have to wait to obtain a token and then initiate a separate request to process the transaction using the token.
Merchants within MPAI that have started testing are observing low, single-digit approval rates for real-time token processing.MPAI Blog Post
A representative at an online payment gateway, while speaking on the condition of anonymity, said that the process remains challenging for smaller merchants and customers.
This person pointed to grievance redressal, in particular.
For instance, if a customer has an issue with a transaction, the merchant won't be able to help since they will no longer hold the card details.
A large number of failed transactions could also cause reputational risk and business loss to the merchants, even if the failures are not because of their systems, this person added.
The regulator could ask the industry to take two years to start doing tokenisation and once the system has stabilised, they can move away from card storage, the person quoted above said.
“The preparedness of the technical service provider is a challenge, given the resistance they face from the e-commerce ecosystem, who see the regulation as a significant cost of doing business,” said Vivek Iyer, partner and National Leader Financial Services Risk Advisory at Grant Thornton Bharat. “This is the reason the deadlines have been extended by the regulator."
What could be useful is for the regulator to address the concerns of the e-commerce ecosystem via the TSPs and rationalise the reason for tokenisations, if not already done.Vivek Iyer, Partner, Grant Thornton