The Reserve Bank of India (RBI) should enforce card-on-file-tokenisation (CoFT) in a phased manner to ensure the adoption is smooth and merchants and customers are not impacted, industry body NASSCOM (National Association of Software and Service Companies) said as part of its proposed suggestions to the central bank.
The suggestions are based on feedback provided by card networks, payment aggregators and merchants in a closed-door meeting with the body on December 7.
NASSCOM said the industry agrees that CoFT is an effective measure to protect customer information, however, they are concerned about the implementation and operational challenges it presents before them.
The body said the industry is still recovering from the disruption caused by the rollout of the new rules on recurring transactions in October. The new rules require all online service providers to implement an additional factor of authentication (AFA) for all recurring credit or debit card payments.
The new rules on CoFT will come into effect from January 2022, the central bank said in a notification, published in September. The notification said that no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data. Any such data stored previously shall be purged.
NASSCOM in its suggestions to the central bank said, “Networks, card issuers and merchants – rely on each other to ensure seamless digital transactions for customers. Merchants are dependent on the readiness of issuer banks, card networks, who offer tokenisation services. In the absence of viable solutions for tokenization, merchants will be left in a lurch.”
“A viable solution for merchants is that banks issuing 80% of the cards integrate and test the CoFT solution with the networks and stable (application programming interface) APIs are made available to the merchants to test and integrate themselves with the CoFT solutions,” the body added.
Without this, NASSCOM stressed that merchants will end up purging card data from their systems without having access to tokenized data.
NASSCOM further highlighted the issues CoFT will open for customers who buy online as guests. In the absence of information on payment instruments, merchants will struggle to process refunds. To address this, the body recommends allowing merchants to store card data of unregistered customers till they are refunded.
The body also pointed out that the central bank’s circular allows merchants to store limited data such as BIN (last four digits) and the name of the customer for tracking transactions.
It further said, merchants also require BIN range (first few digits) for identifying network, issuer and card type. It allows them to process EMIs and provide refunds to customers. Without the time taken to process payments and refunds will increase and frustrate customers.