In a recent development, the Reserve Bank of India (RBI) has pushed back the implementation deadline for new norms on card-on-file (CoF) tokenisation. With concerns sparking over potential business transaction disruptions, digital payment services, merchant bodies, and banks have appealed for additional time to onboard all stakeholders and fully integrate the systems. Therefore, the central bank has extended the timeline by six months to 30th June 2022.
Understanding Tokenization
Tokenisation is a process where actual credit and debit card details are replaced with an alternate code, termed as the “token”. This token is unique for each combination of card, token requester and device. Transactions involving a tokenised card are considered safer as the actual card details are not transmitted to themerchant during the transaction phase. For customers without access to the tokenisation facility, they will need to manually enter their name, 16-digit card number, expiry date, and CVV for every online purchase.
What is Card-on-File?
A CoF transaction occurs when a cardholder grants permission to a merchant to store their Mastercard or Visa payment information. The same merchant is then authorised by the cardholder to charge their stored Mastercard or Visa account. Typically, e-commerce companies, airlines, and supermarket chains tend to store card details within their systems.
Concerns Over Swift Implementation
There are fears that if the new RBI directive were to be implemented in its current state of readiness, it could trigger significant disruptions and monetary losses, particularly for merchants. Post-31st December, due to tokenisation norms, online merchants could witness a decline of up to 20-40% in their revenues. For many small-scale businesses, this could prove to be catastrophic, potentially leading to closure. Such disruptions may also prompt consumers to revert to cash-based payments, thereby eroding trust in digital transactions.
Furthermore, merchants are unable to commence testing and certification of their payment processing systems until banks and card networks have been certified and launched stable APIs (Application Programming Interface) for consumer-ready solutions.
Looking Ahead
In response to the ongoing situation, the RBI has stated that merchants must erase credit and debit card data from their online systems post-June 2022. Besides tokenisation, industry stakeholders are encouraged to explore alternate methodologies for managing any use case currently involving the storage of CoF data by entities other than card issuers and card networks. This includes recurring e-mandates, EMI options or any post-transaction activities such as chargeback handling, dispute resolution, reward or loyalty programme, etc.
