Major tech integration hurdles threaten to impede RBI's card tokenization move

Merchants are battling with major technology integration challenges as they scramble to comply with the Reserve Bank of India’s (RBI) mandate to purge saved credit and debit card data from their systems from January 1, a deadline that is just nine days away.

In March 2020, RBI said that merchants will not be allowed to save card information on their websites. This September, though, it issued fresh guidelines, giving companies time until the end of the year to comply with the regulations but offering them the option to tokenize the cards, enabling an additional layer of security for payments.

Tokenization refers to replacing credit or debit card details--such as the 16-digit card number, card expiry date, CVV as well as the one-time password or transaction PIN — with a unique alternate code called a 'token'. From January 1 onwards, users will also need to give merchants their consent with an additional factor of authentication (AFA) for their first transaction, following which they can complete the payment by keying in the card’s CVV and OTP. 

This, however, is easier said than done since AFA requires banks to obtain additional authentication from customers during registration and first payment, with relaxation for subsequent payments up to certain limits.

A tech implementation such as this, which requires a system change, can be considered successful only if it is capable of handling large volumes of transactions, note experts and bankers. That scale will not be achieved unless all parties involved are ready to switch.

To begin with, the application program interfaces (APIs) need to be ready. APIs allow software and services to interact with each other, and are often used to verify information, pull data from databases and more.

“The APIs have to be ready at the card issuer (banks), card networks (Visa, Mastercard, RuPay), and correspond with the merchant’s network. This is easier said than done (in a short time),” explained Sijo Kuruvilla George, Executive Director, Alliance of Digital India Foundation, an industry body that represents startups in India. “It needs time to witness a full-blown integration and implementation,” he added.

Second, the card-on-file (CoF) data, which needs to be deleted, is not stored in a single database, "and there are steps, like security and redundancy, built-in to make it error-free”, according to Kuruvilla. He added that integration will only be possible after the bank APIs are made available. "The robustness of API documentation is the basis on which the integration works," he explained.

Third, banks are at different levels of maturity, given that the system overhaul started sometime in September. “(The) Technology is foolproof, but the challenge is that all of a sudden everybody wants to do everything at the same time,” said Prasanna Lohar, vice president, Technology (Digital, Innovation & Architecture) at DCB Bank, explaining that all the banks are asking for tokenization solutions from vendors at the same time, while solution providers have limited bandwidth. “Also, the certification process with card networks would take its own time,” he added.

Fourth, solutions providers are engaging with different banks to offer solutions as per their preparedness, experts pointed out. That said, while solution providers have started announcing tokenization solutions in the last two months, they will take time to reach a level of stability. Some are still in the process of introducting solutions such as that from payments solutions provider Cashfree Payments, which announced its tokenization solution called Token Vault that will be live on 27 December.

“The technology has been there for some time, (and) different banks are at different stages, (but we) can’t really say that every bank is ready. But there is a reasonably good mix at this time. The larger organizations have obviously made more progress as they have been planning for this, and working with networks to establish readiness,” said Harish Prasad, Head of Banking at fintech firm FIS. “The main areas where banks need to establish readiness is around Additional Factory of Authentication (AFA) for customer consent, and tokenization request approvals mandated for issuers,” he added.

On Tuesday, for instance, Mastercard and Google announced the rollout of tokenization whereby Google Pay Android users can scan and pay across all Bharat QR-enabled merchants, tap-and-pay, and make in-app transactions through their Mastercard debit and credit cards. For registration, users will do a one-time setup by entering their card details and their OTP to add their card on the Google Pay app.

Fifth, experts say banks don’t have enough incentive to offer tokenization in the first place. “There are no guidelines that spell out that every bank has to mandatorily offer tokenization. In such a scenario, banks may not be excited to offer tokenization and this adds to the woes of the merchants leading them to suffer a loss of revenue,” ADIF’s Kuruvilla said. “It needs to be considered that it is only with the banks and card networks being ready and APIs being made available, that the merchants can even come up to take active measures on their part to comply,” he added.

An industry expert, who did not wish to be named given the sensitivity of the matter, believes that tokenization implementation should have taken a cue from the unified payments interface (UPI) framework adopted by the National Payments Corporation of India (NPCI). He pointed out that UPI was implemented over a much longer timeframe, wherein NPCI conducted a pilot launch with its member banks first.

Last, but not the least, experts point out that there is not enough consumer awareness on tokenization either. As banks have started reaching out to the customers with messages about the RBI guidelines, these messages confuse customers more than informing them. With the new rules, customers will either have to enter their card details each time a payment is made, unless tokenization is implemented on the service providers’ level.