As the Reserve Bank of India’s (RBI) new card storage guidelines come into effect in about a month, which will mandate merchants to delete the customers card data, an alternative payment mechanism, ie card tokenisation is still not ready, and is still a “halfway product”, industry sources said. It is expected to create disruptions in making payments as the June 30 deadline looms, they said, adding that the payment ecosystem is not fully prepared to implement the rules.
The new regulations would affect businesses across the board, such as major e-commerce firms and food delivery firms, but would “disproportionately” hurt small and medium businesses much more, industry sources said. Bigger businesses are tracking the challenges and working on alternatives, but the majority of the smaller businesses are bound to face drop in payments once the new guidelines come into effect. The lack of awareness is one of the challenges that small businesses face, one of the sources cited above said.
Businesses around the country have been trying to find their feet as they recover from ramifications of the COVID-19 pandemic and the change in payments guidelines could further be a challenge in creating a cashfree, digital economy. When the new digital payment guidelines come into effect, it is expected to create financial chaos, one of the sources said.
The RBI, India’s banking regulator, has set June 30, 2022 as the deadline for merchants and payment aggregators to delete customer’s debit and credit card details from their servers. As an alternative, RBI has suggested card tokenisation as a method to process those payments, in order to avoid disruption.
In its announcement last year, RBI said it has reinforced the new guidelines for the “safety and security of card data while continuing the convenience in card transactions”. RBI’s guidelines came into effect in the face of an increase in risk of card data being stolen, leaked or compromised when stored on merchant’s servers.
Tokenisation refers to replacement of credit and debit card details with an alternate alpha-numeric code called the “token” which will be unique to a card, token requestor and the device. Industry sources said even though some entities have started with the process of issuing tokens, the infrastructure to process payments through the tokens is still not ready, and are currently in the testing stage.
E-commerce firms such as Amazon and Flipkart process about 1600 to 1900 transactions per second on an average on sale days, however, transactions done through tokenisation method have only been able to process 8 to 10 transactions per second, according to data from testing stage, one of the industry sources cited above said.
“What one needs to realise is that we are reducing a four way highway into a two way one, even when volume remains the same,” the source added. In countries where tokenisation has been adopted, an alternative to use card details still exists. It has taken other countries about 7-8 years to fully adopt card tokenisation, from that perspective 8-9 months is a very short span of time, the source added.
Even if a customer chooses to opt for card tokenization, issues such as high latency (time taken to fulfill one transaction) and low throughput (number of transaction requests which can pass through) has been observed in the early testing stage, according to the Merchant Payment Alliance of India.
“Even when customers enter card details each time for each transaction, the transaction will likely fail because acquirers (who are also issuers in most cases) for online payments will not be able to store these card details (they store this in the offline world),” the industry body, which is an association of merchants including Netflix and Microsoft, said.