Business Standard

Volume IconRBI's rules on online transactions mean for consumers and merchants

To make online transactions secure, the RBI has asked merchants & payment gateways to remove customer data on cards saved with them and use encrypted tokens. Here's how it will impact digital commerce

Digital transactions

Digital transactions

Under the new RBI guidelines, only card issuers and card networks will be able to store card details of customers. All the merchants and payment banks will now have to remove these details from the system, which the central bank said have been compromised on several instances.

Beginning January 1, the merchants will have to switch over to a new way of transaction, called Tokenisation. It ensures that a transaction can take place without disclosing the cardholder’s account information to either the merchant or any of the intermediaries.

Tokenisation is the replacement of an actual or clear card number with an alternative code called the “token”. This token also consists of 16 digits, just like the typical credit card number. Note that UPI already uses tokenisation to secure transactions.

Once created, the tokenised card details will be used in place of an actual card number for online purchases initiated by the cardholder. Customers do not have to pay for the service of tokenising their cards.

Now, the banks, merchants and other stakeholders are racing against time to comply with the new card data storage norms of the RBI.

Nasscom and the Alliance of Digital India Foundation or ADIF are reportedly seeking a phased implementation of the tokenisation mandate, along with a minimum two-year timeframe for the transition.

Speaking to a financial daily, Nasscom expressed its objection to RBI’s short timeline for tokenisation, saying that this would be a “double whammy” for the digital commerce sector, which has already been hit by the central bank’s recurring payments mandate and is still trying to emerge from it. Small players, which were affected in particular, stand to lose out the most.  

The RBI’s new rules on recurring payments came into effect from October. Under the new rules, if you make use of recurring transactions using debit cards, credit cards and Unified Payments Interface, then you must undertake a one-time additional factor authentication for smooth auto-debit transactions.

Failing this, payments, such as those to streaming services like Netflix and music apps like Spotify, will get cancelled. Also, if the recurring payment is above 5,000 rupees, then the cardholder must approve it with OTP-based authentication every time it is due for payment.

“In the scenario that banks are not prepared, we are looking at revenue losses of anywhere between 20-40% by merchants. Only after the readiness of bank, card networks and APIs are made available that merchants will be able to take measures on their part to comply with the tokenisation mandate” - Alliance of Digital India Foundation.

ADIF, a think tank for India’s digital startups, gave a statement saying that the tokenisation mandate require an ecosystem-wide change in tech systems and workflows. It said that this policy change will affect three major players, banks, intermediary payment systems, and merchants. In the scenario that banks are lax on preparedness, the brunt of that will be borne by merchants in the form of loss of revenue.

Business Standard spoke to Sijo Kuruvilla George, executive director of ADIF, to understand the impact of the new rules on merchants.

Clearly, companies and industry might have good reasons to fear large-scale disruption. They want more time to comply with the tokenisation mandate.  

After the businesses, let us see what consumers like us will be affected from this new regime.

Consumers are now being asked if they want their card details in the secured or tokenised format. While it is not mandatory for customers to get their cards tokenised, they can choose to do so to enjoy a seamless one-click checkout process in the future.

If they don’t, they will have to manually type their 16-digit card number, CVV and expiry date each time they want to make a purchase online.

The central bank has put the new regime in place to ensure that consumers’ money is safe. But most experts believe that the central bank should also ensure that the transition is smooth. As far as businesses are concerned, time alone will tell whether they are justified in their fears -- that this mandate could push hundreds of small and medium merchants and payment operators out of business.

Watch video

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: Dec 22 2021 | 8:15 AM IST