By Shashank Didmishe
With the June-end deadline for the mandated card-on-file tokenisation system fast approaching, bankers are concerned that the payments ecosystem as well as most of the merchants are unprepared for the new regime. Given that a significant volume of transactions take place through cards, they fear this could result in some loss of business.
The Bank of Baroda (BoB) management said with merchants unable to migrate to the new system, we could see some breakdown in settlements, reconciliation and services such as refunds, cash-backs and charge-backs. BoB has so far tokenized more than 20% of its active e-commerce debit card base. “From the perspective of an acquirer, we will rollout the solution for merchants within the timeline,” the lender said. BoB had enabled debit card tokenization before December 31, 2021.
Other banks, too, have pointed out that while bigger merchants are ready with the tokenization system, smaller ones may not be ready by July 1.
Dewang Neralla, CEO of NTT DATA Payment Services, observed that while generating token numbers for plain vanilla transactions involving credit and debit cards should not pose too many problems, customers are likely to face some issues when it comes to recurring payments, EMIs, offers, refunds and charge backs. “Merchants involved in recurring transactions may not be able to generate token numbers,” he said.
Rohit Kumar, co-founder of policy consultancy firm The Quantum Hub, pointed out that it was not merely a question of generating a token number, but also the time taken for processing the token. “So far, some of the major players are able to process eight to 10 transactions per second, but the ideal processing speed should be around 2,000 transactions per second,” he said.
Vishal Mehta, chair of the governing council of the Merchant Payments Alliance of India, said despite claims of readiness with tokenisation, the reality is that the back-end infrastructure is not ready to create tokens and process payments simultaneously. Nor is it ready to process large transaction volumes on tokens created in real time,” Mehta said.
In December last year, the Reserve Bank of India (RBI) had extended the deadline for card tokenization by six months till June 30, 2022 following requests from both payments players and merchants. The RBI wants all customer card details stored by merchants and payment gateways to be purged by June 30, 2022. The new system will not store the 16-digit card number and the expiry date when a digital transaction is done on a website. The payment will be made through a process called tokenisation by which card details are replaced by a random or unique code or token. This prevents the card details from being exposed, and enhances data security. Only card issuers and card networks can store customer data.
In addition to tokenisation, industry players may devise alternative mechanisms to handle recurring e-mandates, dispute resolution or reward programmes which currently involve storage of CoF (card-on-file) data by entities other than card issuers and card networks. Aggregators and merchants cannot store data.