1592899775_7Uxh1r_RBI_final.jpg 
The RBI Guidelines dated March 17, 2020, on the Regulation of Payment Aggregators and Payment Gateways, prohibits payment aggregators and merchants from storing customer card credentials. The RBI had granted a “one-time” extension on implementation of this mandate, until 31st December 2021. Where are we on this journey ?
Photo Credit :
With the increased usage of digital payments, the preferences of consumers are driven by the ease, speed & safety with which they can undertake and complete the transaction, using a specific payment instrument. Business models in this industry have evolved to facilitate this consumer-ask and make digital payments easy & handy for the consumers.
Card-on-file
A ‘card on file’, or stored credentials, is the card information stored by a merchant, payment gateway, payment aggregator or digital wallet to process future transactions.
It is an important feature, in terms of customer-convenience and makes the transaction process smooth. It eliminates the need of re-entering card details on the merchant’s site and helps in executing recurring payments. These players store the card number and other relevant details related to a card in an encrypted format; however, the card verification value (CVV) is not stored. At the time of a card transaction, customer consent is taken to store these card details for future reference.
Tokenisation
Tokenisation is the process of replacing credit and debit card information with an equivalent code known as a "token."
The token requestor is an entity that receives a customer's request for card tokenisation and forwards it to the card-network for the issuance of a matching token. Think of this as ‘match the following’ !
Since the card data is not shared with the merchant during the transaction processing, a tokenised-card transaction is deemed safer. The few merchants, platforms & banks had already started prodding the consumers to have their cards tokenised.
Delays & more
The card networks like RuPay, Visa and Mastercard and large payment gateways have announced that they are ready with the infrastructure to convert cards into tokens. Online platforms like Zomato, Uber started prompting their users to give consent to tokenise their credit and debit cards.
The risk for banks and FinTechs for existing EMI repayments through cards (without tokenisation) is this : Since the card data will be encrypted and only a token number will represent the cards, banks and fintechs will not know when the customer's credit or debt card expires. Without this crucial data, the lenders will have risk of repayment defaults.
IBA is reportedly represented to the RBI that preparedness of smaller merchants and the lack of customer awareness will necessitate an extension. But most of the banks started their consumer outreach on tokenisation, only recently and did not show any proactive approach earlier.
Hobson’s choice for RBI
If the extension to tokenisation process is not granted, consumers’ payment experience would get impacted. The e-commerce industry estimates that it could have up to 40% loss in business; and lenders could be in trouble, if the repayment mode is via cards.
In any scenario, for consumers using online payment mode, any lack of service-availability or slightest inconvenience would sadly and solely be blamed on the regulator.
When the reality is that the industry did not prepare itself for this, despite long lead-time ! And has been ‘passing the parcel’ amongst one another ! Is this the case of a truant teenager embarrassing the parents in public ? And that the parent would grin it and bear it, until the time they are back home; will we see a show-down dressing-down for this let-down?
Editor's note: “the RBI has extended this deadline by 6 more months… “
Srinath Sridharan, Corporate Advisor & Independent markets commentator
Twitter : @ssmumbai