The Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) have voiced their concerns over industry-readiness on the recent Reserve Bank of India (RBI) directive on card-on-file tokenisation (CoF). They have written to the central bank, requesting to extend the December 31 deadline for the implementation of card data storage norms, according to a press release issued on December 22.
While RBI’s objective of ensuring security and reducing fraud from the payment ecosystem through this policy change has been welcomed as a step in the right direction, MPAI and ADIF have in their letter highlighted several operational challenges that will hinder the transition to the token-based payments ecosystem.
This policy change affects three major players: banks, intermediary payment systems, and merchants. “Merchants cannot start the testing and certification of their payment processing systems until banks, card networks, and PA/PGs (payment aggregators/payment gateways) are certified and live with stable APIs for consumer-ready solutions,” the joint letter noted.
The two associations have sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and PAs/PGs, as well as the generation of consumer awareness about the impact of the policy change. They highlight that RBI regulated entities are not prepared, in the absence of a hard mandate to comply.
RBI had in September 2021 prohibited merchants from storing customer card details on their servers with effect from January 1, 2022 and mandated the adoption of CoF tokenization as an alternative to card storage. MPAI and ADIF believe that if implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants. According to the letter, “disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments”.
MPAI and ADIF are of the view that ‘ecosystem readiness’ is a sequential process of going live with stable API documentation for tokenised transactions. Moreover, in the letter, they have highlighted that the digital payments ecosystem is a long way from consumer-ready solutions and that the implementation of tiered timelines for compliance will help minimise disruption to consumer services. Unless regulated entities are compliant, merchants will not be able to successfully process tokenised transactions.
According to Sijo Kuruvilla George, Executive Director, ADIF, “In the scenario that banks are lax on preparedness, the brunt of that will be borne by merchants in the form of loss of revenue – we are looking at revenues losses of 20-40 per cent at the minimum should that be the case. It’s also important to note that it’s only after the readiness of bank, card networks and APIs are made available that merchants are even able to take effective measures on their part to comply.”
According to Vishal Mehta, chair of the governing council of MPAI, “This unpreparedness will impact recent digital payments adopters even deeply. The frequency and intensity of phishing attempts will go as entire card details are to be entered for each transaction, causing significant increase in irreversible fraudulent transactions.”