RBI’s tokenization rules may cause breakdown of digital payments market

At the start of October, most automated recurring payments came to a grinding halt owing to banks and card issuers rushing to comply with the Reserve Bank of India’s circular on processing of e-mandate on cards for recurring transactions. This e-mandate circular had initially extended the compliance deadline from March 31, 2021 to September 30, 2021.

Owing to the general state of unpreparedness of the industry to put in place enabling infrastructure, even after the deadline, less than a third of all cards issued in India are set up on infrastructure permitting the processing of e-mandates for recurring transactions. This continues to result in a high-friction transition for several customers, whose recurring transactions have come to a standstill. With a mere handful of banks being compliant with the e-mandate circular, the October deadline was a perfunctory one, which was not strictly enforced by the Reserve Bank of India (RBI). Now, as the year draws to an end, another deadline looms large over the card payment ecosystem in India.

The RBI had mandated in 2019, that any entity that is not a card network (such as Visa, Mastercard, Amex, RuPay etc.) or an issuing bank, must not store customer card data after 31 December 2021, and must delete any past customer card data by that date as well. When the RBI published the no-card-storage rule, there was obvious pushback from merchants (i.e. anyone that accepts digital payments) since it creates dependence on card networks. 

The primary challenge with the no-card-storage rule was the inability to access customer card information, which in turn has a huge impact on being able to serve customers. Card information allows merchants to provide customer specific-promotions, process refunds and address customer grievances effectively and efficiently. Storing this card information at the back end allows merchants to manage fraud risk and mitigate any potential impact on customers or the business. 

In light of this feedback, the RBI (through an iterative process) permitted tokenization as an alternative to card storage. After allowing for device-based tokenization earlier in 2021, the RBI, on September 7, authorised card payment networks and issuer banks to offer card tokenization services to merchants that use cardholder data for transactions.

This is indeed a very progressive regulation, and the RBI should most certainly be lauded for its avowed intent to protect customers in the wake of numerous data breaches compromising cardholder data of millions of customers. This transition towards tokenization of card-on-file data results in the replacement of actual card details with a unique encrypted ‘token’, which acts as an identifier or alternate, called a token reference number. 

This allows for merchants to access and store the token reference number against all card numbers saved, to authenticate a card transaction instead of collecting and storing card data, which could be compromised in the event of a data leak. This pre-emptive move by the RBI sets a strong precedent in demonstrating regulatory foresight to keep up with global security standards, and paves the path for secure, frictionless payments.

While the legislative intent driving this policy is laudable, disruption in payments would be driven by disparate implementation. In this particular instance, the RBI has directed merchants to not store any card details post December 31, 2021. However, unless a fully functional alternative, i.e. tokenization, has been implemented, merchants won’t be able to continue to serve customers without card details. 

From a practical standpoint, this puts merchants in the unenviable position of having the continuity of their business in the hands of external parties, like card networks and banks. If tokenization is not ready by December 31 then merchants can either continue serving their customers and be non-compliant, or comply and lose the ability to perform their business functions and serve customers. 

To add to the complication, merchants have no ability to influence ecosystem readiness on tokenization. The manner in which the regulation is drafted creates a hapless dependence by merchants on card networks and issuing banks. Merchants and customers are unfortunately the last participants in what is a highly interdependent payments ecosystem.

For tokenization to be effective, the entire ecosystem must follow card-on-file tokenization. To enable this, the entire ecosystem must sequentially create the tokenization infrastructure – starting with card networks, followed by banks, then merchants, and ultimately the consumer would store their card information in the form of tokens with the merchant. 

Here, again, only card networks and banks are permitted by the RBI to create the infrastructure, leaving merchants helpless. The card networks and banks would need to manage integration in a timely, uniform, and non-discriminatory manner.

Given the interdependence of merchants on acquirers and card issuers, merchants would be put in the precarious position of having to delete card-on-file data to comply with the RBI’s deadline, whilst relying on other players to enable tokenization. 

In the eventuality that other ecosystem participants are not ready for tokenization, merchants would have purged their customer data and then be compelled to ask their customers to re-populate their card details, an exercise that could result in them losing customers and impacting business and transactional continuity. This would not only be value-erosive for merchants, who have meticulously collected card-on-file data over several years, but would also undermine the safety offered by tokenization, if even a single stakeholder in the payments chain continues to store customer data in a non-tokenized manner. 

As the entire payment ecosystem would need to be ready for card-on-file tokenization, the implementation of tokensation cannot be sequential, as is the case in other industries, but needs to be ready for a simultaneous transition by the compliance deadline of December 31. This interdependence within the payment’s ecosystem and the associated risks must leave no room for asymmetric implementation. 

If the RBI’s stated intent of improving safety, security and convenience is to be met, every stakeholder in the digital payment chain, from customer to merchant must ensure compliance with the tokenization requirements, thereby ensuring that there is no vulnerability in the payments chain. 

To ensure that the RBI’s directions for tokenization are implemented uniformly without favouring or excluding any stakeholders, it is imperative that the RBI monitors compliance implementation by regulated entities. It is only thereafter that merchants can begin to build the infrastructure, test, and fix it, and finally comply with the requirement. The RBI must assess compliance readiness well before the deadline, and extend the deadline in the event that adherence looks unlikely.

The prevailing information asymmetry and contradictory data regarding the readiness of tokenization capabilities belies the practical challenges of implementation, that relies so intrinsically on industry-wide implementation. Complete technical readiness, unless coupled with tokenization at every stage in the card transaction/payment chain undermines the very intent of ensuring industry-wide payment data tokenization.

Interestingly, the RBI has directed card networks and banks to ensure that other entities in the payment ecosystem do not store card data. By doing so, it appears that the RBI is requiring said private entities to “regulate” how other private entities do business, beyond the jurisdictional purview of the RBI. This places both the liability of implementation as well as the responsibility of compliance on card networks, ostensibly delegating what ought to be a legislative function to private entities. 

In a country where ease of doing business assumes significance as a policy priority, and the Government has been promoting the Digital India initiative, purging card-on-file data would be akin to merchants starting customer acquisition and payment integration afresh, especially for merchants who strive to offer a seamless payment experience. 

Akash Karmakar

---

Akash Karmakar and Sankalp Inuganti are Data privacy and technology lawyers at the Law Offices of Panag & Babu.