Last week, Apple informed its customers in India that it will no longer store their card information on file and will not be accepting payments made by debit cards and credit cards for purchases or subscriptions on the App store or other Apple services in light of the upcoming RBI regulations. It will still be accepting payments through UPI.
The decision of the US giant surprised many. But not those who are scrambling to meet the RBI deadline on tokenisation of cards which is June 30, 2022.
Come July 1, merchants, payment aggregators, payment gateways and acquiring banks can no longer store the card details of customers. Only card issuing banks and card networks can store the actual card data.
With businesses still reeling with the disruption caused by RBI’s rules for card-based recurring payments that came into effect January 1 this year, another storm is brewing for them.
Businesses and other entities that have stored any such data will have to purge them and apply tokenisation.
Tokenisation is the replacement of a card number with an alternative code called the “token”. Once created, the tokenised card details will be used in place of the actual card number for online purchases initiated or instructed by the cardholder.
A tokenised card transaction is considered safer as the actual card details are not shared with the merchant during transaction processing. It will cut the chances of card information leakage.
For transaction tracking and reconciliation purposes, entities can store the last four digits of card number and card issuer’s name. The customer’s consent and OTP-based authentication is required for creating a token.
A customer can, however, still choose not to tokenise his or her card. In such a case, customers will have to enter complete card details everytime they make a payment.
This could lead to a decline in revenues for merchants as a significant number of conversions happen through saved cards.
First RBI deadline to tokenise the card details was June 30, 2021. But at the request of merchants and payment aggregators, as well as card companies and banks, it was extended to December 31, 2021. And the deadline was again extended by six months.
Earlier this month, Paytm said it had tokenized 2.8 crore cards across Visa, Mastercard and Rupay, accounting for 80% of monthly active cards on the the app. Other businesses are also nudging users to tokenize their cards in order to enjoy a seamless experience from July 1.
For instance, everytime a user opens the Swiggy app, he is greeted with a message at the bottom of the screen to secure his cards before June 30.
PayU, Razorpay, PhonePe, Worldline, Cashfree Payments and Pine Labs are among the companies that have come up with tokenisation solutions to help businesses transition to the new framework.
Khilan Haria, VP and Head of Payments Product, Razorpay told Business Standard said that Visa, Mastercard, Rupay and Diners Club have gone live on its tokenisation platform with American Expresses expected to go live soon. However, it is not just card networks, but card issuing banks too have to come onboard.
With just about five weeks to go, where does the payments ecosystem stand in terms of its preparedness?
Speaking to Business Standard, Khilan Haria, VP and Head of Payments Product, Razorpay says, he doesn't expect any large scale disruptions from July 1. According to him, 100% of Razorpay merchants are live on its tokenisation solution, and post tokenisation, card networks are ready to process transactions at scale. Majority of the banks are also expected to be ready, he added.
Meanwhile, a lack of compliance by banks with RBI’s rules on recurring payments is already leading to a large number of recurring transaction failures.
Razorpay’s Haria said it would take about 6-9 more months for reaching the stabilisation phase where coverage would be near complete.
Several banks are yet to integrate with mandate hubs like BillDesk’s SiHub or Razorpay’s MandateHQ, affecting publishers, B2B SaaS companies, and small businesses and startups that majorly depend on subscriptions for revenue.
While recurring payments still make up only a minor portion of overall payments, the magnitude of the impact from card tokenisation will be enormous, affecting merchants of all sizes including major e-commerce companies and food delivery firms.
The Merchants Payments Alliance of India, whose members include Netflix, BookMyShow, Disney+Hotstar, Microsoft and Zoom, said it observed that requisite back-end infrastructure isn’t ready.
It said that unless the back-end infrastructure for processing payments using tokens is ready by June 30th, data purging by merchants and payment aggregators would lead to a breakdown in settlements, reconciliation and services such as refunds, cashbacks and chargebacks.
The alliance said that data purging without demonstrated ecosystem readiness at scale across use cases would give rise to business continuity challenges for merchants of all sizes.
Vivan Sharan, Secretary, The Merchants Payments Alliance of India (MPAI) says, we have limited visibility on the state of readiness of the payments ecosystem. We still don’t have final APIs that will enable consumers to transaction, he says, adding that there’s good progress on token generation side. Token processing solutions are still at the development/early testing stage.
With some banks, particularly smaller ones, not expected to be compliant with the regulations from day 1, customers can expect some friction while making payments online.
The transition to the new payment regime will certainly not be smooth. Small merchants and consumers are going to face problems. The next five weeks are crucial in this transition. Banks and other players of the payment ecosystem will have to work in tandem to ensure that everything falls in line.
 "Is India ready for tokenization this time?")
