Fearing erosion of trust in digital payments, industry bodies urge the Reserve Bank of India to extend the card-on-file tokenization deadline
The Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) have together voiced their concerns over industry readiness on the recent Reserve Bank of India (RBI) directive on card-on-file tokenization (CoF) and have written to the Central bank requesting an extension of the December 31 deadline for implementation of card data storage norms.
While the RBI’s objective of ensuring security and reducing fraud from the payment ecosystem through this policy change is a step in the right direction, MPAI and ADIF have in their letter highlighted several operational challenges that will hinder the transition to the token-based payments ecosystem.
This policy change affects three major players: banks, intermediary payment systems, and merchants. “Merchants cannot start the testing and certification of their payment processing systems until banks, card networks, and PA/PGs are certified and live with stable APIs for consumer-ready solutions,” the joint letter noted.
The two bodies have sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and payment aggregators/payment gateways, as well as the generation of consumer awareness about the impact of the policy change. They highlight that RBI regulated entities are not prepared, in the absence of a hard mandate to comply.
The RBI had in September 2021 prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of CoF tokenization as an alternative to card storage. MPAI and ADIF believe that if implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants. According to the letter, “Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments.”
MPAI and ADIF are of the view that ‘ecosystem readiness’ is a sequential process of going live with stable API documentation for tokenized transactions. Moreover, in the joint letter, they have highlighted that the digital payments ecosystem is a long way from consumer-ready solutions and that the implementation of tiered timelines for compliance will help minimize disruption to consumer services. Unless regulated entities are compliant, merchants will not be able to successfully process tokenised transactions.
According to Sijo Kuruvilla George, Executive Director, Alliance of Digital India Foundation, “In the scenario that banks are lax on preparedness, the brunt of that will be borne by merchants in the form of loss of revenue – we are looking at revenues losses of anywhere between 20-40% at the minimum should that be the case. It’s also important to note that it’s only after the readiness of bank, card networks and API’s are made available that merchants are even able to take effective measures on their part to comply.”
According to Vishal Mehta, Chair of the Governing Council of the MPAI, “This unpreparedness will impact recent digital payments adopters even deeply. The frequency and intensity of phishing attempts will go as entire card details are to be entered for each transaction, causing a significant increase in irreversible fraudulent transactions.”