When the Reserve Bank of India (RBI), published a circular that mandated card-on-file tokenization (COFT Circular) in September 2021, the RBI suggested that digital merchants and e-sellers assign a token that is unique to each credit or debit card as an alternative to storing customer card data.
The COFT Circular mandates that only card issuers or card networks (banks and the likes of Visa, Mastercard and Rupay) can store card data and supply tokens, as token service providers or 'TSPs’. Such TSPs provide the facility for the creation of tokens by ‘tokenising’ or ‘detokenizing’ or decrypting the customer’s card data with the consent of the customer and validation by the card issuer.
This would ensure that the card data is not stored in an unencrypted manner, which is prone to misuse. While well-intentioned, and intended to mitigate risks associated with unencrypted card data being stored lackadaisically, the COFT Circular will disrupt digital payments in a manner that India Inc. can scarcely afford. Whether or not TSPs are successful in creating a functional tokenization infrastructure, the odds are stacked against the merchants and will result in a slow-down on online businesses, loss of customers due to repetitive processes, and disparate customer experiences amongst users of different card issuers/card networks.
When a right to information application was made to the RBI in December 2021, the RBI responded that it did not collect data on which banks enabled tokenization. This made it apparent that there was no regulatory supervision of the operationalization and readiness of the tokenization frameworks.
Given that the adoption of tokenization in digital transactions is fairly new and only just mandated by a government agency, the RBI had set a deadline ending on December 31, 2021, to build all the infrastructure needed for merchants and their customers to move to payments using tokenization. While merchants rushed to find ways to set up and integrate processes in the back end, the actual power to create, enforce, and provide such COFT technology and services solely rests with card issuers and card networks. With the infrastructural framework being built by parties with no real economic incentive to set up the infrastructure in time or integrate with merchants, the deadline was unsurprisingly over-optimistic and passed without infrastructural readiness. The deadline was then pushed to June 30, 2022, owing inter alia to the inability of card networks and card issuers to set up a tokenization infrastructure that was ready for large-scale and uniform deployment.
The absence of minimum service standards being stipulated by the RBI is causing a sluggish setup of digital payments infrastructure supporting tokenization. The tokenization infrastructure that must be ready for the COFT Circular to function as intended, would rely on the TSPs and entities collecting, storing, and tokenizing card data to all act under an operational framework that supports transaction volumes and velocities.
While payments players are working towards implementing the COFT Circular, there continue to be glaring issues with the lack of infrastructural readiness. Untested to meet the scale of transactions in India, hasty implementation would result in transaction volumes not being supported by existing infrastructure resulting in recurring failures of payment methods.
A majority of the Indian population has just begun to trust online transactions. While demonetization and the pandemic have moved payments online, lopsided implementation of the COFT Circular may stall payments, forcing customers and merchants to revert to cash dependence. Since this runs contrary to the Government’s policy push, the RBI would do well to implement measures to ensure minimum standards of customer service, and redressal mechanisms and exercise oversight to ensure the readiness of the infrastructure which is critical to operationalising the COFT Circular and achieving its avowed objectives.
Most consumers would feel safer if their card data is not stored by merchants. However, with merchants compelled to destroy stored card data, customers would need to re-enter their card details each time. If the implementation of COFT Circular results in causing a high-friction checkout process, forcing customers to repeatedly re-enter their card details, then consumers would probably begin saving card data on their phones, browsers or other unsecured media. This defeats the policy objective and also causes an unrivalled unease of doing business online for e-commerce companies and consumers alike.
While the TSPs were given the power to generate tokens from card data, the COFT Circular saddled merchants with the responsibility to ensure that all card data in their systems are deleted. This causes a regulatorily induced dependence on TSPs. Merchants are helpless in being able to ensure the infrastructure is set up by the deadline, and yet the RBI expects merchants to take this leap of faith and delete their customer’s card data. The absence of the RBI’s supervision to ensure that the infrastructure for tokenization is ready inspires little confidence in merchants to expect a seamless transition warranting deletion of card data. The RBI should mandate data purging only after satisfying itself of ecosystem readiness. One could also argue that inducing this dependence on TSPs will serve as a non-tariff barrier for brick and mortar merchants transitioning to e-commerce. While perfection is typically the enemy of the good, if the tokenization infrastructure is not entirely ready, and the RBI enforces the data purging deadline, it would serve to defeat the policy objective the COFT Circular seeks to achieve.
Data collated by the RBI reflects that two trillion transactions were concluded online in the first quarter of 2022. The attributability of a sharp decline in these average quarterly volumes immediately following the COFT Circular’s implementation would unarguably indicate a lopsided implementation of the COFT Circular. The cost of diminution in volumes of e-commerce transactions suffered by India Inc. would then, undoubtedly be the RBI’s to bear.
Akash Karmakar and Falaq Patel
Akash Karmakar is a Partner at the Law Offices of Panag & Babu. Falaq Patel is an associate in the Fintech and Privacy team at the firm.