The digital payments industry is a key pillar of growth for the digital economy. The industry is projected to grow at a CAGR of 27% with approximately 7,092 lakh crore transactions by 2025. Last year, the Reserve Bank of India (RBI) proposed payment guidelines with regard to deletion of saved payment card numbers (Card-on-File Data) by online merchants, payment aggregators, and e-commerce websites. RBI, however, extended the compliance deadline which is due on 30th June 2022 but there are still operational and executional challenges hindering the seamless implementation.
Under these guidelines, the RBI also mandated the Card-on-File Tokenization (CoFT) mechanism where a token will be issued against every card transaction as opposed to sanctioning automated payment data. While shifting to the tokenization mechanism would lead to a more secure transaction experience, there is a need to assess the readiness of the ecosystem. In line with this, The Dialogue and DeepStrat published a report based on review of existing literature and interviews with key stakeholders in the digital payments ecosystem which are impacted by these regulations to assess their sentiments on the RBI’s CoF and tokenisation framework and their preparedness to implement it by June 30, 2022.
As per the findings, the industry is not completely ready to implement the tokenization framework. Without proper tokenization infrastructure, deletion of Card-on-File data will cause tremendous user inconvenience as it will require them to re-enter the card details for every transaction. Further, implementation of the framework without sufficient preparedness may also lead to increased transaction failures and delays. This will result in a significant decline in payments through card, impacting small merchants who predominantly depend on payment aggregators for their integration in the new mandate. Small merchants, who predominantly will need to depend on payment aggregators for their integration in the new mandate as they do not have sufficient resources and capacity to implement tokenization on their own. It is important that before mandating deletion of Card on File data the, RBI should assess the readiness of the ecosystem and enforce the mandate only after they are satisfied that all stakeholders are ready with token provisioning, token processing and addressing multiple use cases. Per the current situation, there is a need for further extension of at least six months in order for the ecosystem to be ready.
Some key highlights from the report are as follows:
- Industry has made significant progress towards implementation of tokenization in the last six months. However, there are still loose ends which need to be addressed.
- Different stakeholders are at varied levels of preparedness. While for token provisioning, the preparedness has progressed significantly for all stakeholders, such. is not the case for other aspects. Card networks, Banks and PA/PGs are not equally prepared.
- Merchants are facing high transaction failure rates and finding it difficult to use the tokenization mechanism for high volume transactions.
- Smaller merchants with less technical capabilities are significantly more vulnerable to disruption that may be caused due to hasty enforcement of the mandate.
- Solutions for use cases such as guest checkouts, EMIs and recurring transactions, are still in the development and implementation phase, and for some of them they do not even exist yet. Building these solutions and testing them would require more time.
- There seems to be a lack of transparency with regard to the readiness of the ecosystem which is creating friction between merchants and the other stakeholders.
Basis the report, The Dialogue and DeepStrat, hosted virtual stakeholder consultation moderated by Mr. Kazim Rizvi, Founding Director, The Dialogue, with industry experts on “Preparedness of the Payments Ecosystem to Implement CoF and Tokenization guidelines”. Speaking on this, Dr. Aruna Sharma, IAS, Former Secretary, Government of India, highlighted “It is not just the small merchants who are not ready for tokenization, but there are some small banks who are also not fully equipped. The RBI needs to allow an extension at least till June 2023 to minimise any business disruptions and ensure full readiness of all players in the ecosystem.” She also said that “Tokenization is a two-step process: generating a token against consumer cards, and then processing transactions against it. This needs to be done for every recurring payment which can become a huge hassle and disrupt consumer experience.”
Mr. Nandkumar Saravade, Ex CEO, ReBit (RBI’s Tech-arm) said that “In principle, the RBI’s approach to mandating tokenization is a positive move. However, its implementation involves a complex multi-stakeholder problem. There are large-scale technological changes required to undergo this transition. The point of concern is to ensure that small merchants are kept in loop, and their voices are represented in an appropriate manner.”
Ms. Shreya Suri, Partner, IndusLaw, said that “Despite RBI’s persistence that the guidelines come into effect, the delay we are experiencing is not just due to unwillingness of different stakeholders but also due to infrastructural challenges in the implementation process itself.” She also added, “Customer adoption rates will decrease if substandard technology is employed which can hamper the overall retail experience. It is crucial to give consideration to these guidelines before rolling out, so that it benefits all industry players rather than just a few.”