As a step towards enhanced safety of digital payments in March 2020, the Reserve Bank of India laid down new rules for the tokenization of card data. The Payment Aggregator and Payment guidelines published by the RBI, Payment Aggregators (PAs) and Payment Gateways (PGs) prohibited merchant sites from storing customer card credentials (also known as card-on-file) within their database or on their servers.
With tokenization, card details would be replaced by a unique code or token, allowing online transactions to go through smoothly without any exposure to the sensitive card credentials of the customer.
The deadline to comply with these guidelines was first set on December 31, 2021, by when it was expected that banks, card companies (Visa, Mastercard) and other stakeholders – PAs, PGs and merchants would establish the mandatory infrastructure to remodel their systems for the tokenization process and purge all card-on-file (CoF) data. Since then the deadline has been extended twice, first to June 31, 2022 and then further to September this year. Each time the extension was done due to the delays in setting up the new infrastructure by the payments ecosystem and the possibility of disruption and inconvenience to cardholders.
Once again as the deadline draws closer, confusion and hesitancy linger. While most of the big merchants and e-commerce players like Amazon have their systems in place, it is the small merchants who are struggling to set up the necessary infrastructure and revamp their systems.
The Merchant Payments Alliance of India (MPAI) has voiced its concern with the RBI regarding pending issues with the token for recurring payments. The failure to smoothly implement token flow could result in system lag, disruption and a reduction in merchant revenue and therefore they feel that these issues need to be duly addressed. Even though merchants have been assured verbally by partners, these assurances hold little value unless tested on the platform. Small merchants are struggling and need more time to be ready for handling tokenized transactions. Their lack of resources and dependency on PAs and PGs inhibits them from starting any meaningful testing of token solutions for their customers.
The MPAI is of the view that for end consumers to successfully conduct payment transactions using tokenized card details, the ecosystem must be ready. However, merchants who rely on payment aggregators and payment gateways are yet to make significant progress.
Autopay is another concern with tokenization. There is limited clarity on recurring payments as compared to other regular payment flows. To keep track of mandate IDs and in the process of recurring payments, accessibility of bank identification numbers (BINs) from card networks is essential. However, the progress in this area is limited.
Looking at the above scenario, the merchants would be more comfortable with a further deferral of the deadline. The industry experts are unsure of the preparedness of the ecosystem. The beta version testing takes more or less 90 days and the smaller merchants have yet to implement testing of token solutions for their customers. Moreover, the switch of their existing customers to the new systems has not yet happened.
Despite multiple extensions, the problem of synchronization among the stakeholders continues and the ecosystem is still not prepared for all cases. A further extension would only be effective if complemented with a detailed assessment by the central bank and a remedial follow-up to plug the loopholes.
There is a need for clarity backed by data and numbers in terms of preparedness. This will be possible when RBI releases a status report to throw clarity on infrastructure readiness and instill confidence in the merchants so the switchover to tokenization is smooth.
In my opinion, the government should give smaller players more time to be tokenization ready.
Yay for tokenization, since it means more safety for the online shopper.
It would be good to see if all ecommerce platforms are ready for tokenization.
Many websites where I shop, have still not tokenized our cards. I wonder if they are ready
All the parties including debit and card people should be ready for Tokenization specifications.
This is a great initiative by RBI helpful to both the parties
Replacing card deatils with a token is very useful and helpful initiative by RBI
A great post indeed. It provided a great insight into tokenization.
Yes, totally agreed. There are still lots of loopholes in the system. But once they are fixed it will be a game changer.
Yes, totally agreed. There are still lots of loopholes in the system. But once they are fixed it will be a game changer.
Tokenization will help protect businesses from financial impacts that come with data theft.
Thanks for providing a much needed clarity on tokenization.
Tokenization is important with the amount of online purchases today
Tokenizations seems like a secure process.
This blog post helped me gain more insights on tokenization
Even small merchants should be helped by the government to take necessary step for such systems
As you rightly mentioned it would take a lot of time for all the small merchants to adapt to this setup. A lot of time is required to stabilize this than the mobile payment methods.
It is an intriguing concept and the blogger clarified the doubts of many people.
Even small merchants should be helped by the government to take necessary step for such systems
Looking forward for more development regarding tokenization
Although it will lead to huge costs, in the long run it is safe for everyone.
Thanks for such an informative post on tokenization
Hackers who are on a constant lookout for loopholes and gateways to get access will get a major blow with the new rule.
Tokenization can only be successful if it can be implemented without any bias.
Your post brought much needed clarity on tokenization and what to expect.
Quite interesting. Would definitely like to see how this pans out.
Tokenization will help protect businesses from financial impacts that come with data theft.