The Buyt Desk
RBI has directed merchants not to store customer card details on their servers and asked all to adopt an alternative mode of payment through card-on-file tokenization.
The Reserve Bank of India (RBI) made new rules in September 2021 which said that from January 01, 2022, the merchants cannot store customer card details on their servers. New technology was adopted as an alternative to storing card details which is known as card-on-file (CoF) tokenization. Later the RBI extended the date of implementation by six months which is June 30, 2022. From July 1, 2022, the online players have to delete all the card (both credit and debit) data stored on their platform. And they can replace this with token technology to secure the card details of consumers
Most of the reputed banks including ICICI, HDFC, and SBI are done with the preparations for switchover and ready to adopt the new tokenization system. But the merchants are not yet ready as their backend system is not yet up-scaling for the new tokenization system and have asked RBI to grant more time to implement this new system. This new system applies to domestic and online purchases.
What is Tokenization?
The actual data of credit and debit cards when stored in a merchant platform can be misused. As a solution to this, the RBI came up with card tokenization. Now tokenization will replace the actual card data in the merchant portal. This alternate data stored in the form of code is known as a token. This token is a unique code that represents the card, token requestor, and device.
Why did RBI issue New Guidelines?
A tokenized card transaction on merchant portals is considered safe and secure for card users as the actual card details are not stored or shared on the merchant device during transaction processing. If the customer does not have the tokenization facility, then he/ she needs to key in a 16-digit card number, name, card expiry date, and CVV every time the payment is made using the card. It is a cumbersome task to key in all details whenever card details are not saved on the portal. This will impact transaction value. To make it easy for customers, card tokenization is introduced. Each card has to be tokenized so that a unique token is generated for all cards in that portal.
What is the Impact of Card Tokenization?
India’s population has more than 100 crore debit and credit cards. There are about 1.5 crore daily transactions through these cards worth Rs 4000 crore. The value of the Indian digital payments industry is very high and is increasing since the COVID-19 pandemic. During the pandemic, it was digital payments that saved many and also triggered and sustained India’s economic growth. RBI aims to protect consumer interest but implementing tokenization is a challenge because of the volume of digital transactions in India.
Earlier this year, online merchants claimed to have lost up to 30% of their revenues due to tokenization norms. This may not make much difference to big sharks but for smaller ones, this loss is too much to bear.
How will Consumers’ Life Change?
A study says that nearly 5 million customers have stored their card details on multiple portals for online transactions. These customers will be impacted if the merchants and online portals fail to implement the new guidelines in their system. E-commerce platforms will be affected badly as cards attached to monthly instalments and subscription-based transactions are stored in their database. For this reason, RBI gave 6 months extension so that all could set their systems to new guidelines and no one is at loss.
Banks are up for a new game of tokenization but E-commerce platforms, online service providers and small merchants are not yet ready with their backend. Mastercard is behind in this game, so to help them catch up RBI has banned it from issuing new cards till they comply with RBI data localization.
Why do Stakeholders Want Deadline Extension?
Merchant bodies and Digital payment firms intervened in the RBI decision and asked for an extension of the deadline for implementing new guidelines for tokenization. They have approached the central bank saying that the new mandate could cause a loss of revenue and major disruptions as they are not yet ready. If it fails, all should go back to cash transactions only as cards may not work at the merchant’s machine or portal.
What is the bank’s preparedness for tokenization?
ICICI, HDFC, and SBI Cards have their card tokenization system ready for online transactions. But merchants are not yet ready for integration. Few players have device-based tokenization like SBI Cards with Samsung devices for contactless NFC payments. Along similar lines, other banks have also initiated the process while many others are in place with the new system. Implementation of tokenization needs integration of the systems between banks and merchants so both parties being ready is necessary.
What are the steps for complete tokenization?
Tokenization implementation will happen smoothly in these three steps –
Token provisioning – Converting card numbers into a token and for this, the card networks should be in place with the needed infrastructure.
Token processing – Card transactions should be processed and completed successfully through the tokens
Scale-up for multiple use cases – Using the same token EMIs, refunds, recurring payments, promotions, offers, guest checkouts, etc should happen