India Merchants Struggling To Implement Card-On-File Tokenisation Rules

December 2, 2021
India’s new rules to increase the safety and security of online payments will come into force at the end of December, but merchants are struggling to meet the fast-approaching deadline.

India’s new rules to increase the safety and security of online payments will come into force at the end of December, but merchants are struggling to meet the fast-approaching deadline.

Earlier this year, the Reserve Bank of India (RBI) adopted two rules to increase the safety and security of online transactions. The e-mandate for recurring online payments came into force in September, while a requirement to tokenise card payment data will apply from January onwards.

Although market participants have already been given extra time to adopt the necessary technical framework, many report that they are still facing various challenges.

With growing adoption comes growing risks

Digital payments have grown significant in India in recent years, which was further accelerated by the COVID-19 pandemic. The total number of digital payments has grown threefold in the country, from 14.6bn in 2018 to 43.7bn in 2021 (year ending March).

As of March, there were 960.25m cards in circulation, in a country with a population of 1.38bn. According to the latest data published by the National Payments Corporation of India (NPCI), there were 3.9bn debit card transactions in the first ten months of 2021, worth £53bn, and 1.7bn credit card transactions worth £1.97trn. In addition, Indians initiated 30bn transactions across the instant payments service Unified Payments Interface (UPI) in the same period. UPI helps facilitate mobile-based payments in the country.

However, with the number of transactions growing, so has the number of frauds. According to the RBI's 2021 annual report, card/internet fraud has increased by 34 percent in the year end March 2021 compared to the same period in 2019, while concerns have started to emerge that merchants are sharing cardholders’ data with third parties, creating further exposure to potential security risks.

News has also come to light that the State Bank of India left one of its servers unprotected, leading to 422m customers being potentially exposed. The problem of security was also highlighted recently by a Singapore-based cybersecurity firm, which claimed to be able to purchase the details of 1.3m credit and debit cards from Indian banks at $100 apiece.

New rules to increase security of recurring payments

In August 2019, the RBI issued a framework for processing e-mandates on recurring online transactions.

Under the new rules, merchants must use an additional factor of authentication (AFA) when a client sets up new recurring payments using their card details, and the recurring payment cannot exceed INR5,000 (£50). The rules also require banks to inform customers 24 hours in advance of recurring payments, which can go ahead only after being approved by the customer.

Initially applicable to cards and wallets, the framework was extended in January 2020 to cover transactions on UPI.

The RBI gave banks and merchants until March 2021 to carry out the necessary changes, but market participants were struggling to meet the initial deadline and asked for more time to conclude the migration. Pushing ahead with the original deadline would have meant that monthly automated payments running through cards would have been stopped and consumers would have had to transfer the fees directly to their service providers each month.

Although unhappy about the delay, the RBI agreed to the extension and pushed the deadline for migration to September 30.

The key challenge with the implementation of the recurring payment framework was “to differentiate the definition of readiness for each and every participant in the ecosystem”, Kanishk Dutta, payments partnerships manager, APAC, at Google, said at an event held by the Merchant Risk Council.

According to Dutta, although a lot of banks told merchants that they are ready, “unfortunately there were a lot of moving pieces, like aggregators in-between, and I think there was only one solution available before the deadline in the industry, which was the biggest challenge. There was no interoperability available, so everyone was kind of forced to offer the only solution available on the market.”

Following this initial challenge, Dutta said the ecosystem moved “hand-in-hand” to help each other comply with the new rules, and now the majority of issuers are compliant with the rules.

He also noted that a lot of risk rules have been put in place “at the last moment”, which may cause frictions in the transactions, and highlighted that the INR5,000 limit for recurring payments may be too low in certain cases, such as utilities, insurance or B2B transactions.

Card-on-file tokenisation

Looking at further ways to mitigate the risk of fraud, the RBI concluded that the more merchants store card credentials, the higher the risk is for card data to be stolen. In addition, the central bank found that some merchants force their customers to store card details.

With the aim to minimise vulnerable points in the system, the RBI decided in March 2020 that authorised payment aggregators and the merchants onboarded by them should not store actual card data. On a request from the industry, the original June 2021 deadline was extended to the end of December 2021.

In September 2021, the RBI announced that it had extended the tokenisation framework to card-on-file tokenisation (CoFT) services and will allow card issuers to offer card tokenisation services as token service providers (TSPs).

The rules mean that from January 2022, only the card issuer and networks are allowed to have access to card credentials, while merchants are prohibited from storing debit or credit card data. However, merchants can use CoFT with explicit user consent and AFA.

Tokenisation is not a new industry security measure and has been used as a standard in e-commerce and card-on-file transactions around the world. It is particularly beneficial for subscription-based business models or those that provide services to the same customers. It can reduce the costs of securing the storage of cardholder data, provide better security for payments data and offers a better customer experience, therefore increasing conversion at the checkout page.

The new rules in practice mean that eligible entities can work with networks, such as Visa, Mastercard or Amex, to become so-called “token requestors” that facilitate the generation of tokens and process those tokens in transactions.

Token requestors are certified by the card networks, which are responsible for ensuring that all parties in the ecosystem comply with the rules.

Banks can choose to have their own solutions, but “from a readiness perspective, network-based solutions are the most advanced and reliable ones”, Dutta explained.

Although he estimates that large merchants typically store card credentials of 65-75 percent of their users, merchants also need to be ready for one-time transactions and guest checkout.

These payments represent one-third of the transactions, which means that the payments ecosystem has to prepare for being able to process post-transaction activities without customer credentials, managing risk and fraud, and resolving disputes.

It may also have an impact on recurring transactions and instant refunds, which is a significant part of the customer experience offered by large e-commerce companies, according to Dutta.

“It is a complex implementation of a regulation that requires the entire ecosystem to be ready,” Vishal Singhvi, Microsoft's director of business operations, Asia, said.

He stressed that merchants should be given more time to comply with the rules, including the requirement to delete all card data they currently store on January 1.

“Merchants would need 120 days after the networks and issuers are fully ready. We hope that RBI and the regulators will give this due consideration,” Singhvi added.

This will ensure that they have “an adequate amount of testing”, which will lead to “a robust future-proof solution”.

In addition, he asked the RBI to define readiness for each and every player in the ecosystem.

“As part of the payments ecosystem, we should all collaborate, reach out to each other and share these practices. It is for the good of everyone that we implement this well and have a successful impact on the ecosystem,” Singhvi noted.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.