Come July, when you make your regular online payments such as ordering food, groceries, making bill payments etc., you will have to manually enter your credit or debit card details in full as the merchants, payment gateways, payment aggregators, e-commerce websites, and acquiring banks will mandatorily have to delete the customers’ card data to comply with the Reserve Bank of India’s (RBI) new card storage guidelines.
The central bank has set the June 30, 2022 deadline for the aforementioned parties to reach out to customers asking them to tokenise their credit and debit cards before the said target date.
What Is Card Tokenisation?
Called the card-on-file tokenisation (CoFT), businesses with any card details of their customers will have to remove all such information and ask the customers to create a token instead, which is a unique code for each card used while doing digital transactions.
Transactions made through tokenised cards will serve as a precautionary measure to counter frauds as the actual card details will be substituted with a token while sharing card details with the merchant during a transaction. The aim of implementing card tokenisation is to improve the security as well as safety of digital transactions.
Presently, when customers make online transactions, their card details are already stored, but with tokenisation, all such details will be swapped with an alternate code called ‘token’. In the event of customers not choosing to go for the tokenisation system till the end of June, they will have to enter their card details manually every time they make online transactions from July.
However, the big question is whether the Indian payment ecosystem is ready for tokenisation this time.
According to a recent report by The Dialogue and DeepStrat, there are still operational and executional challenges hindering the seamless implementation of card tokenisation in India. The report stated that while shifting to the tokenisation mechanism would lead to a more secure transaction experience, there is a need to assess the readiness of the ecosystem. As per its findings, the industry is not completely ready to implement the tokenisation framework yet.
“Without proper tokenisation infrastructure, deletion of Card-on-File data will cause tremendous user inconvenience as it will require them to re-enter the card details for every transaction,” the report noted, adding that further, implementation of the framework without sufficient preparedness may also lead to increased transaction failures and delays.
Kazim Rizvi, Founding Director, The Dialogue – a research and public policy think tank affirms that there is apprehension around the readiness of the whole ecosystem including merchants. The think tank also conducted a recent study on the preparedness of the payments industry to implement tokenisation and while talking to the stakeholders involved, it found out that there is a varied level of preparedness for varied stakeholders. Talking about the findings of the study, Rizvi noted that no stakeholder is fully ready to implement the tokenisation framework.
“While significant progress has been made in token provisioning, there are concerns regarding the implementation of solutions for use cases such as - guest checkout, recurring payments etc. Merchants and PA/PGs (use full forms) require time for testing the new framework and would need a further extension in the deadline,” he said.
Currently, merchants are seeing a high transaction failure rate and high latency in the transactions they are processing. At any given time there are more than 500 transactions per second and currently, merchants are seeing success rates in single digits. Without proper tokenisation infrastructure in place, deletion of Card-on-File data will cause tremendous user inconvenience and disruptions, Rizvi affirmed.
Dr Aruna Sharma, IAS, Former Secretary, Government of India and was also was a member of RBI’s High-level committee, opines that although tokenisation is a welcome move to ensure enhanced security, to be effective it needs all players to be at an equal level in terms of readiness.
“Banks have to be ready besides, cards, vendors, card acquirers, payment platforms and merchants. All have to invest and modify their IT system in sync. This then needs to be tested before tokenization is rolled out. Merchant being in charge of grievance redressal may hamper efficiency. Plus there is still the issue of speed and volume handling in tokenisation vis-a-vis cards. Thus the back-end infrastructure for processing payments using tokens has to be fully ready to avoid failures in transactions and enable smooth shifts. Readiness is key to success,” opines Sharma.
The Readiness So Far
As per industry inputs, while token provisioning has made considerable progress with more than ten crore tokens generated by the token service providers, which will cover 60-70% of the Indian cardholders, the industry is still continuously working towards developing solutions for certain use cases such as guest checkouts, EMIs and recurring payments, which have been in a constant phase of evolution. However, more time is required for testing and ensuring scalability for a successful implementation.
Tokenisation has existed globally for a few years now and in India too, the process started quite some time back.
“We have seen many banks here already in the process of setting this up and may have invested heavily into the R&D of the process prior to the rollout. Many are already reaching out to their customers to explain the intricacies of the process and what they can look forward to,” says Mukul Shrivastava, Partner, Forensic and Integrity Services, EY.
The card networks such as Mastercard, Visa and RuPay have claimed that their solutions are ready for tokenisation. Similarly, PayU, Razorpay, PhonePe, Pine Labs etc. have also come up with solutions to help the businesses transition to the framework.
Larger merchants have initiated integrating the system and have started tokenisation of the cardholders. Paytm has claimed that they have already tokenised 2.8 crore cards which constitute 80% of the cardholders on their app. (Please attribute this fact)
Other merchants have also started the consent process for it. However, there is little information available on the readiness of the banks in the ecosystem. It is safe to say that due to the efforts of the industry to implement this solution, the state of readiness is far ahead of what it was six months ago. All stakeholders in the ecosystem have taken strides towards readiness and there is no one who is not ready at all, however, different stakeholders are at various levels of readiness, some partially ready while others at advanced stages, but the ecosystem as a whole is not ready completely for the mechanism to be implemented effectively
Thus far, big merchants comprising Swiggy, Uber, MakeMyTrip, and Razorpay have gone live, and are letting customers tokenise their cards.
“While there is still a lot of scepticism around the readiness of the industry to meet these new guidelines, on our platforms almost 100% of our merchants are live and ready with Tokenization. This is mainly because, in October 2021, Razorpay launched its end-to-end token solution with the three major card networks Visa, Mastercard and Rupay, and Diner Club in May 2022 and American Express going live soon,” says Khilan Haria, SVP & Head of Payments, Product, Razorpay
Airtel Digital TV has also started sending messages to customers to secure their debit cards for online payments before June 30.
Amazon, Flipkart, GoIbibo, Myntra, and Nykaa, among others, are in the final stages of integrations and are likely to begin the process of tokenising consumer cards in the subsequent weeks, according to media reports.
While Flipkart did not respond to Outlook Business’s queries, Amazon refused to comment. The payment industry comprising merchants has been making representations to the RBI, conveying their concerns regarding the payment use cases, for instance, recurring payments and guest checkouts, which are still not offered under tokenisation solutions presently.
Many big merchants, according to reports, are wary of implementing tokenisation as they fear it will cause disruption in customer experience.
What Will Be The Impact On Small Merchants?
The July implementation of the tokenisation framework will result in a significant decline in payments through cards, impacting small merchants who predominantly depend on payment aggregators for their integration in the new mandate.
Small merchants, would predominantly need to depend on payment aggregators for their integration in the new mandate as they do not have sufficient resources and capacity to implement tokenisation on their own.
Rizvi states that the implementation of the tokenisation framework will significantly impact small merchants who do not possess the necessary resources and know-how for meaningful implementation of tokenisation and require more time for integrating with the tokenisation mechanism.
Further, there also seems to be a lack of transparency in terms of the readiness of the stakeholders.
“Merchants have no clarity regarding the readiness of the other stakeholders in the ecosystem including banks. A transparent mechanism would help in gaining the trust of the merchants and the ecosystem that tokenisation framework is ready to be implemented,” he adds.
It is important that before mandating deletion of Card on File data the, RBI should assess the readiness of the ecosystem and enforce the mandate only after they are satisfied that all stakeholders are ready with token provisioning, token processing and addressing multiple use cases. As per the current situation, there is a need for further extension of at least six months in order for the ecosystem to be ready, Rizvi opines.
What Are The Challenges?
Some of the challenges the banks and merchants may face include integration with various backend systems and network/service providers involved for a seamless transaction experience. Addressing and negating these would be critical, Shrivastava notes.
The other main challenge, he outlines is that the migration to tokenisation may also impact services such as EMIs, promotional offers, and instant cashback facilities. Another key issue that may hinder effective implementation could be the consumer education provided and their proclivity in understanding how tokenisation works.
“The adaption of digital payment processes is likely to accelerate as tokenisation becomes mandatory for merchants. One of the key reasons is how it would fortify online transactions against the threat of cybercrime and online fraud in a dynamic risk landscape,” states Shrivastava.
It is imperative to educate users on how tokenisation will help from a security perspective, as well as how to transact using tokens so that the migration becomes less disruptive to the payment ecosystem, he adds.
Should RBI Further Extend The Card Tokenisation Deadline?
It is important that before mandating deletion of Card on File data the RBI should assess the readiness of the ecosystem and enforce the mandate only after they are satisfied that all stakeholders are ready with token provisioning, token processing and addressing multiple use cases. Many experts opine that given the current situation, there is a need for further extension of at least six months in order for the ecosystem to be ready.
