Convenience Vs Security: RBI’s Proposed Rules On Card Payments Prompt Debate
What comes first — convenience or security?
The Reserve Bank of India’s soon-to-be-implemented rules on storage of credit and debit card customer data have prompted a familiar debate as retailers argue that the new rules will inconvenience customers, while others say they reduce the risk of a data breach.
Come July, single-click and recurring payments that could earlier be done by just entering the card security code (CVV) will need customers to re-enter their entire card details. This, as the RBI has barred merchants and payment aggregators from storing customer card credentials within their database or servers, as per its March 2020 guidelines that come into effect this July. The regulations are silent on whether payment gateways, who route and facilitate the processing of online payments, can store this data.
At present, the card details of a customer are allowed to be stored by online merchants, e-commerce websites, and payment aggregators that act as intermediaries between card-issuing banks and merchants.
Ahead of the implementation of the new rules, online retailers and the IT industry Nasscom have pushed back.
A group of online merchants, including Flipkart, Netflix, Zomato, Microsoft and Amazon, that claim to have over 25 crore customers carrying out digital transactions with them in India, wrote to the RBI requesting exclusion of Payment Card Industry Data Security Standard level 1-compliant merchants from the guidelines.
“Enabling merchants who meet the applicable security standards to continue to store cards on file will avoid large-scale interruptions in consumer experience, business operations and digital payments adoption,” the group said in a Feb. 1 letter, reviewed by BloombergQuint.
Besides, not allowing merchants to store card data will impede their ability to resolve customer complaints and process refunds. “A deprecated consumer service would increase the number of consumer grievances and escalations, which could have been easily managed at the initial stage by the merchant itself,” Nasscom said in a January note that highlighted issues based on industry feedback.
The industry representations have so far not deterred the RBI.
In its master directions on digital payment security issued on Feb. 18, the regulator asked scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, and credit card issuing non-banking financial companies to ensure point-to-point encryption and secure storage of customer card details based on norms prescribed by the PCI-DSS. This suggested that entities other than those specified would not be permitted to store such data.
More Work For All
Even as the RBI guidelines seek to improve data security for online card payments, they could increase the work for all the nodes in the payments ecosystem— starting from the customer to the merchant, the payment aggregators and the card-issuing entities.
“If merchants and payment aggregators are not allowed to store card on file details, there will be no way for them to offer seamless payment solutions for recurring and single-click online payments, making life difficult for the end-consumers who would have to manually enter all their details every time they want to buy something or renew subscriptions online,” said Mandar Kagade, founder and principal at Black Dot Public Policy Advisors.
Besides affecting the overall customer experience, the new rules would also make the online payments flow more complex and less feasible for merchants and payment aggregators.
“From the feasibility perspective, it may offer inconvenience to online merchants and payment aggregators as they would need to verify card details of every transaction from the issuing bank,” said Akshay Garkel, partner and leader-cyber at Grant Thornton Bharat Llp.
This, according to Tanya Naik, head of online and omnichannel business for payment at Pine Labs, that offers payment solutions to businesses, would be cumbersome considering card payment networks do not currently tokenise customer ‘card on file’ data for merchants and payment aggregators, as it is still a regulatory grey area.
Tokenisation involves a process in which a unique token masks sensitive card details.
Network tokens provide an added layer without causing friction in the interoperability of the transactions or in consumer experience. Having said that, creating a new payment product such as ‘card on file’ tokenisation, will involve infrastructure development by various stakeholders (i.e., card networks, acquiring banks, issuers, payment aggregators, merchants) in the payments ecosystem, which can happen over a period of time and with guidelines to effect adoption and implementation.Tanya Naik, Head - Online and Omnichannel Business, Pine Labs
Further, according to Kagade, the added pressure of authentication on the issuing banks will also be enormous.
“If the payments ecosystem is visualised as a network, since other intermediaries will rely on a few (bank) nodes for card authentication every time a consumer initiates payment, which in this case would most likely be banks that payment aggregators hold escrow accounts with, it would expose payment systems to a potential black swan risk if operational resilience breaks down at these bank nodes,” he said.
Last year, large banks such as HDFC Bank and State Bank of India faced multiple system failures as they processed increased volume of payments made via UPI and digital payment interfaces during the pandemic.
The retail e-commerce market in India is expected to grow at a compound annual growth rate of 12.1% to $96.5 billion in 2023 from $61.1 billion in 2019, according to a JPMorgan report. Most customers, the report said, prefer to pay via their credit or debit cards that comprise 31% of all online transactions.
Despite the pushback, the RBI's move, according to Garkel, may end up making card payments more secure as the number of entities allowed to store and validate sensitive customer data would be reduced.
“From security standpoint, by giving card-issuing entities the authority to store and validate customer card data, the regulator has also effectively reduced the sources of potential data breaches or leakages, thereby keeping the accountability with the banks to manage those breaches,” he said.
Instances of card data breaches have risen in recent years. In January, sensitive customer card details of 10 crore Indian customers were leaked from the servers of of Juspay, a company that processes payments from Amazon, Flipkart, Swiggy, MakeMyTrip, Airtel, among other big brands. In October 2019, details of more than 1.3 million cards issued by Indian banks were put on a website called Joker Stash. Similarly, in October 2016, information of around 32 lakh credit and debit cards was stolen by hackers after malware was installed in SBI’s ATM network.
Even as the RBI regulations may cause dissonance and slow down the pace of digitisation in the short-term, eventually they will ensure a more secure digital payments ecosystem through tokenised card flows that are superior to other ways of storing data, said Mohit Gopal, senior vice president and strategy head at PayU Payments.
“However, the guidelines could perhaps have been timed better if tokenisation was first implemented across the industry,” he said.