Come October 1, merchants, payment aggregators and acquiring banks can no longer store the card details of customers.
With the deadline to comply with Reserve Bank of India's card-on-file tokenisation norms fast approaching, industry participants say they are relatively well placed now as far as readiness to transition into the new regime is concerned.
But inadequate testing of the new process may throw up teething problems, which may result in failure of some transactions, especially recurring payment ones.
Come October 1, merchants, payment aggregators and acquiring banks can no longer store the card details of customers.
Under the new guidelines, only card issuers and card networks will be able to store them.
Merchants and other entities that have stored card details of customers will have to purge the data and apply tokenisation.
Tokenisation is the replacement of an actual or clear card number with an alternative code called the 'token'.
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing.
This helps cut the chances of card information leakage.
"We are confident of market participants working together to meet the deadline, given the benefits of card tokenisation in solving consumer and ecosystem security. And, it provides an enhanced checkout experience," said Ramakrishnan Gopalan, head of products, India & South Asia, Visa. Visa has enabled over 100 million tokens.
Ravi Datla, vice-president, digital products, MasterCard, told Business Standard that all ecosystem partners, including issuers, merchants, payment gateways and payment aggregators, are fairly covered from an enablement point of view.
"We today have over 110 million tokens created by Mastercard alone and enabled over 200,000 merchants. Of this, around 50,000 are actively creating tokens for card holders," he said.
While the initial deadline set by the RBI was January 1, 2022, it was extended by another six months.
The RBI again extended the deadline by another three months to September 30.
This is because transaction processing based on tokens was yet to gain traction across categories of merchants.
The RBI had said that the industry should use the extended time to facilitate stakeholders to be ready for handling tokenised transactions.
A lot of progress has been made since then, wherein the industry is reporting that the success rate of token-based transactions is even higher than card-based transactions.
"There are some transactions that happen through guest checkout. For the transactions initiated using saved credentials (aka tokens), there is 70 per cent progress, and within a week or two, it will be at 100 per cent. The success rate of token-based transactions is 3-4 per cent higher than cards," Datla said.
Although readiness of the ecosystem has seen marked improvement over the last few months, the inadequate testing experience of these token-based transactions is something that has some of the stakeholders concerned.
Recently, NASSCOM and Merchants Payments Alliance of India wrote to RBI with a status report highlighting that the industry needs adequate testing experience.
"More time is required to test and build out the efficacy for recurring payments. There are certain issues with token flows for recurring payments that need to be addressed before the no-card-storage rule can be implemented," said Ashish Agarwal, vice-president and head of policy, NASSCOM.
"The industry has to reach a certain level of confidence in terms of success rate and the time it takes to process tokens. And, both these areas are right now not in a shape where it can be taken to the market. We believe that the RBI is examining the issues," Agarwal added.
The entire ecosystem has been grappling with the recurring payment problem for a long time.
Last year, when the standing instruction mandate was implemented, the entire industry went through a phase where they connected with the customers and took their mandate.
With tokenisation, they had to repeat the process again.
So, they had requested RBI that if the mandate consent can be treated as consent for tokenisation as well, it would result in all the standing instruction transactions being tokenised.
"Recurring transactions segment is the last leg where we are working with our partners to minimise failures. We are currently encouraging these partners to scale and supporting them in the process. The industry is up at scale and most of the transactions are going through at a much better pace than cards," Datla added.
The Payments Council of India (PCI) has also reached out to the RBI on certain issues, including those on recurring transactions, and is awaiting more clarification on it.
"All the payment gateways and PCI members are ready with tokenisation for the last two months. According to our numbers, more than 10 million cards are already tokenised," said Vishwas Patel, chairman, PCI.
"While there were teething problems initially when it came to processing of token-based transactions, now the success rate is similar to what it was earlier. We are awaiting clarifications from the RBI on certain issues, including standing instructions," Patel added.
"RBI has been very lenient in giving extensions. It is high time the industry steps up to meet RBI's expectations and delivers," Patel said.
Rama Mohan Rao Amara, MD and CEO, SBI Card, told Business Standard that majority of the ecosystem partners, including merchants, are prepared to meet the deadline.
"As a compliant and customer-first organisation, we have already integrated the required changes and are ready to launch this by the RBI deadline," Amara said.
"Such changes may have minor issues initially," Amara added, but once past those, the overall impact on customer safety and overall user experience is better."
