Don’t miss the latest developments in business and finance.

With month to go for card-on-file tokenisation, firms set up solutions

Merchants and other entities that have stored card details of customers will have to purge the data and apply tokenisation

card data storage
A tokenised card transaction is considered safer since the actual card details are not shared with the merchant during transaction processing.
Subrata Panda
6 min read Last Updated : Jun 09 2022 | 12:50 PM IST
With less than a month to go for the Reserve Bank of India (RBI)’s new card data storage norms to kick in, the ecosystem is better prepared this time than earlier, however, the transition to the new regime may not be entirely seamless as some teething problems may crop up in the initial days, given how complex the implementation process is.

Come July 1, merchants, payment aggregators, and acquiring banks can no longer store the card details of customers. Under the new guidelines, only card issuers and card networks will be able to store them. Merchants and other entities that have stored the card details of customers will have to purge the data and apply tokenization.

Tokenization is the replacement of an actual or clear card number with an alternative code called the “token”. A tokenized card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. This will help cut the chances of card information leakage.

In a post policy meeting with the media, T Rabi Sankar, Deputy Governor, RBI, said, “With about three weeks to go, the progress has been satisfactory. Over the last several months, our teams have been constantly discussing with all stakeholders to make sure that the process of tokenization happens smoothly and the system is by and large prepared. All the card networks are offering tokenization”.

“About 16 crore tokens have been created. And this number would pick up as we come close to the deadline and beyond the deadline also. It is not necessary that everyone should have a token before that. I don’t think there is a need to speculate on whether the timeline would be extended. There are a few collateral issues which have come to our notice which we will address as we go”, Rabi Sankar said.  

Parag Rao, Country Head (payment business, consumer finance, technology and digital banking) at HDFC Bank, in an interaction with Business Standard said, “From the bank’s perspective, we started work on it a month or two after the original circular came out.  As we speak today, the number of debit cards, credit cards, and merchants tokenized, we are well on the way to the journey. We anticipate that in the next 15 – 20 days, we should complete our job. This is a reasonably complex implementation process, touching multiple systems, and covering all the players, including issuers, acquirers, and merchants”.

“…the industry readiness is quite high, essentially covering 80 – 90 per cent of the transactions, and we do expect a seamless migration, barring some initial teething issues. But the industry is ready to manage these issues”, he added. However, there is still a lag between the number of cards tokenized and the number of actual transactions in the tokenized format.

Essentially, the ecosystem is not expecting a repeat of what happened in October last year when the new e-mandate guidelines kicked in.

However, the industry has two concerns and has reached out to the central bank for a solution on those issues. In the e-commerce space, there is something called a guest account, which essentially means one does not need to log in and save their card. They just need to key in the 16-digit number and do the transaction. This would be a non-tokenized transaction. The complexity of the situation at the back end means that a proper technical solution will need a little more time and the industry has made some recommendations to the regulator and is awaiting clarification on that.

The second concern is in the area of utility payments, where customers might have given standing instructions. Last year, when the standing instruction mandate was implemented, the entire industry went through a phase where they connected with the customers and took their mandate. With tokenization, once again the industry would have to go to the customers and take their consent to tokenize their transactions so recommendations have been made to the RBI that can the mandate consent be treated as a consent for tokenization as well and therefore all the standing instructions transactions could be tokenized.

“A large part of the ecosystem is ready this time around. On our credit card portfolio, we have 1 crore+ tokens generated. The number sounds reasonably healthy to me. If we were to say in a month roughly 50-60 lakhs people are active on e-commerce then everybody has generated at least 2 tokens, which is a good number. My sense is the ecosystem is far better prepared now than it was earlier. We are fully prepared, and any large bank will be ready as well”, said Sanjeev Moghe, President & Head- Cards & Payments, Axis Bank.

“We would like every merchant to go live on Day 1 but they are preparing separately for it. Also, while token creation is progressing well, the option for a customer to key in full card number along with CVV and expiry will continue alongside tokenized cards thereby ensuring continuity and choice for customers. Moreover, the latest clarification from the regulator on SI related tokenization would further aid in seamless transition”, he said.

However, there are some international merchants who have said they will not adhere to the new rules of RBI. Last month, Apple informed its customers that it will no longer store their card information on file and will not be accepting payments made by debit cards and credit cards for purchases or subscriptions on the App store or other Apple services. Instead, Apple has asked its customers to add their UPI (Unified Payments Interface) Id or use net-banking as alternative payment methods to avoid any interruptions to the subscriptions and other purchases. Apple customers can also add funds to their Apple Id balance to make payments.

Following RBI’s mandate on storage of card details, many companies have launched their tokenization solutions. PayU, an online payment solution provider, has launched “PayU Token Hub”, which offers both network tokens and issuer tokens under a single hub. Similarly, Razorpay has developed “Razorpay TokenHQ”, a multi network card – on – file tokenization solution. Razorpay has successfully onboarded over 2 lakh merchants on TokenHQ. The National Payments Corporation of India (NPCI) has joined hands with brands and aggregators to introduce a tokenisation facility supported by the recently launched NPCI Tokenization System. Paytm last month said that it has tokenized 2.8 crore million cards – or 80 per cent of monthly active cards on its app – across Visa, Mastercard and RuPay.

Topics :Reserve Bank of IndiaTokenisationCardsRBI PolicyHDFC BankMastercard

Next Story