Are banks ready for tokenisation and why has RBI issued new norms?

Recently, RBI has prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage. It applies to domestic, online purchases.

Now, tokenisation has been initiated to keep the details safer as it is sometimes risky to interchange the card details while transaction processing. Tokenisation refers to replacement of actual credit and debit card details with an alternate code called the token, which will be unique for a combination of card, token requestor and device.

What is the size of the industry and the impact of new guidelines?

According to CII, India has an estimated 100 crore debit and credit cards, which are used for about 1.5 crore daily transactions worth Rs 4000 crore. The value of the Indian digital payments industry in 2020-21, as per RBI's annual report, was Rs 14,14,85,173 crore. "Digital payments have triggered and sustained economic growth, especially through the trying times of the pandemic… While RBI's intent is to protect consumer interest, the challenge on ground pertains to implementation."

These rules might shut some of the smaller merchants' business and few can lose up to 20-40 per cent of their revenues post December 31 which was detailed by few participants of Digital Payments and the India Media Consumer organised by the CII's Media and Entertainment Committee.

What's the consumer impact?

As everybody is up with transition from going to banks to online payments, it impacts an estimated five million customers, who have stored their card details for online transactions on various platforms, because online merchants are not ready for new rules. Equated monthly instalments and subscription-based transactions that are paid through stored cards will also have to adhere to new rules. Now, with the latest extension, the RBI expects the systems to be ready for seamless launch in six months.

While 90 per cent of banks are ready for tokens on the Visa platform, Mastercard is yet to catch up. The RBI had banned Mastercard from issuing any new cards on July 14 this year for not complying with data localisation requirements.

Why did the stakeholders want an extension?

They are in fear that their revenue might be lost and are seeking immediate intervention of the RBI to extend the deadline for implementation of the new credit and debit card data storage norms, or card-on-file tokenisation (CoF). They wrote to the central bank that if implemented in the present state of readiness, the new mandate could cause major disruptions and loss of revenue, especially for merchants. "Disruptions of this nature erode trust in digital payments and reverses consumer habits back towards cash-based payments," Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) said in a joint letter.

Specifically, the RBI policy change affects three major players: banks, intermediary payment systems and merchants. Stakeholders sought a phased implementation of the new mandate, a minimum time frame of six months for merchants to comply post readiness of banks, card networks, and payment aggregators/payment gateways.

What is the preparedness of the banks?

It seems that banks are not prepared with the new norms to comply as they say in a letter to the Reserve Bank that "they are seized with the matter" and merchants might require some more time for integration. HDFC Bank, ICICI and SBI Cards already have the card tokenisation system in place for online transactions, while few players have device-based tokenisation (SBI Cards with Samsung) for contactless NFC (near field communication) payments. Other banks have already initiated the process and many are ready with the new system.

SBI Chairman Dinesh Khara had recently said, "It involves integration of the systems between banks and merchants. As far as banks are concerned, they have started working on it. For our purposes, the operative part came in September. As far as merchants are concerned, they might require some more time."

A report by Emkay Global Financial Services said, "Instead of creating own token generating engine, using the payment networks' (Visa or Mastercard) engine will be far more cost-efficient and technologically advanced and will have merchant acceptability." Mastercard and Google recently announced the rollout of tokenisation that will enable Google Pay users to transact using their Mastercard credit and debit cards. Many banks like SBI, HDFC and HSBC are using Mastercard for transactions.

The three steps that have to be completed for smooth implementation of tokenization are:

• Token provisioning: the consumer's card number should be convertible into a token, which means the card networks have to be ready with the relevant infrastructure.

• Token processing: Consumers should be able to complete their transaction successfully through the tokens.

• Scaling up for multiple usecases: Consumer should be able to use the token for things such as refunds, EMIs, recurring payments, offers, promotions, and guest checkouts.