Tokenisation Options Pick Up Ahead Of RBI's New Card Storage Rules
With the Reserve Bank of India's card storage guidelines coming into effect in less than 60 days, the number of tokenisation service options available in the market are rising. Multiple entities including Visa, Mastercard, American Express and RuPay have all launched proprietary tokenisation services over the last two months.
According to guidelines issued by the regulator on Sept. 21, no participant in the payment chain, apart from card issuer and the card network, can store customer card data on their servers from Jan. 1, 2022. Card-on-file data stored so far by the other participants will need to be purged.
As a mid-way path, the RBI has recommended card-on-file tokenisation. Under this only the card network or issuer can store card data, issuing tokens for the transactions.
Tokenisation is the process of turning sensitive data into a string of randomly generated numbers called a "token". Unlike encryption, these tokens cannot be reversed or decrypted once they are hashed. So even if the token leaks, its content is permanently secure.
The regulator intends to reduce the risks of storing card data on multiple platforms which could lead to data breaches. Tokenisation will also allow customers to continue using digital payments, without having to add card data for every transaction.
Services On Offer
Following RBI's diktat, many payments companies like Razorpay, PayU, Juspay, and PhonePe announced solutions to help merchants adopt the new standards. These platforms act as "requestors" of tokens on behalf of the merchant, making the process more seamless.
Razorpay's Shashank Kumar said the entire base of 5 million businesses on the platform will be ready to support tokenised card transactions.
"We've made it extremely simple for any merchant to get started, all they need to do is opt-in via a toggle, and we'll do the rest," said Kumar.
Kumar said the company has started reaching out to merchants and is actively educating them about the upcoming changes. Understanding the technical aspects isn't everyone's cup of tea, and the company is trying to bridge the gap by making merchants aware of the end consequences, he said.
A few larger merchants which use white-label solutions, will have to dedicate some resources to accommodate the new process without hindering the user interface or experience.
"These clients usually have a developer team in-house. So while it may require some work, the outcome will be positive," said Kumar.
Razorpay said customers have saved 20 million cards on the platform so far. These will all need to be transitioned away towards tokenisation eventually.
Card networks, too, are putting in place systems.
Visa has enabled its issuing banking partners for tokenisation and continues to work closely with merchants, payment aggregators and gateways to ready the ecosystem for rollout," said Shailesh Paul of Visa in response to a query from BloombergQuint. A unique token will be assigned to the merchant requesting the token and is restricted by the use case, the company explained.
Mastercard and NPCI, which manages the RuPay network, did not respond to emails. In a statement on Oct. 20, NPCI had said it is launching its 'Token Reference On File' or TROF service to help RuPay cardholders transition.
What Will Merchants Face?
While services by card networks are being launched, avoiding chaos similar to what was faced during the transition to the new recurring payment rules, will need merchants to get on board quickly.
Merchants will face some disruption as they will need to rebuild the database for customer payments all over again, according to Ravi Battula, head- merchant acquiring solutions, Wibmo. "Obviously, it also means the user will have to manually fill in the details once again," said Battula. "Any new change comes with some friction. That'll be the same case here, but it will be much more subtle."
Customers using tokenisation will also have more control via a centralised view of all the tokens that have been generated, according to Battula. Cardholders will have the freedom of removing the token, if they want to stop availing specific services, without having to visit multiple websites, he said.
"If the merchants, gateways, or aggregators don't comply, they will be penalised by the RBI. It's just a one-time thing to improve consumer confidence and make the internet a safer place," said Vishwas Patel, chairman, Payments Council of India.
Still, there are concerns that the industry may not meet the deadline of Dec. 31, 2021, causing disruption for merchants who haven't made the move.
"The challenge will be for all merchants to shift to the new framework within the timelines prescribed by RBI. Some sections of the industry do think January 2022 is an aggressive timeline for all players to get comfortable with the new ecosystem, and customer experience disruption is likely," said Shilpa Mankar Ahluwalia, partner and head, fintech, Shardul Amarchand Mangaldas & Co.
Is Tokenisation Enough?
Payments Council of India's Patel said the core issue of ensuring data security for card transactions can be fully addressed through tokenisation.
The RBI, in its notification, goes beyond just providing a consent-based framework for card transactions. Customers will be able to set or modify transaction limits for tokenised card transactions and they will be able to register or de-register their card for particular use cases.
The centralised opt-out option for customers, however, could be delayed, as a lot of banks are dragging their feet, a person familiar with the matter told BloombergQuint on conditions of anonymity.
Card issuers, or banks, also need to create an easy mechanism by which customers can report the loss of their identified device or authorised usage of the tokens created. In addition, card payment companies must put in place an appropriate dispute resolution process for these tokenised transactions.
Further, prior to launching these services the card payment companies will have to put in place mechanisms for routine (at least annual) security audits of all the entities involved in the transaction chain.
"The aim of tokenisation was to secure card data and prevent it from being misused in case of a breach. The new approach is extremely secure and fulfils its purpose perfectly," Patel said.