BENGALURU: Come July 1, 2022, payment aggregators and merchants will have to follow the Card-on-File Tokenisation (CoFT) regime, and all digital transactions including the regular ones such as ordering groceries and food will also be impacted.
With an aim to improve security as well as safety of transactions, the Reserve Bank of India (RBI) has permitted authorised card networks to offer card tokenisation services. Currently, when consumers make online transactions, actual card details are stored, but with tokenisation, the details will be replaced with an alternate code called ‘token’.
“Card tokenisation offsets any requirement of storing resident data in multiple processing systems during an online transaction and hence brings in the much-needed security of consumer data,” says Muralidharan Srinivasan, head of payments, APMEA Region, FIS.
Initially, the central bank fixed December 31, 2021, as tokenisation deadline, but it extended it again by six months. All merchants should delete both debit and credit card details of customers by the end of this month.
Digital payments major Razorpay says all its merchants have tokenised their customer card details, and are ready to meet the guidelines. In October 2021, Razorpay launched its end-to-end token solution with three major card networks- Visa, Mastercard and RuPay.
“Almost all of our partner businesses are live on TokenHQ and this is a net positive move for them in the long run as tokenisation will bring more customers into the digital payments ambit,” says Khilan Haria, SVP & head of payments, product, Razorpay.
Businesses don’t have to make any changes to their existing payment flows, while customers continue experiencing the convenience of saved card transitions with added security, making this a turnkey solution for the ecosystem, he adds. According to him, this level of readiness coupled with the country’s robust payment infrastructure have made the ecosystem fairly ready for tokenisation.
Though bigger players are ready with tokenisation system, many small merchants are struggling to meet the deadline. But it is said the RBI is unlikely to extend the deadline.At a press briefing held recently, RBI deputy governor T Rabi Sankar said more than 16 crore tokens had already been issued. “Over the last several months, our teams have been constantly discussing with all stakeholders to ensure that the process of tokenisation is implemented smoothly,” he said. According to him, the system is by and large prepared, and all the card networks are offering tokenisation.
“Post-June, there would be some disruptions in the ecosystem as any new change will cause some friction in such a massive payment system built over time,” says Ravi Battula, VP – Merchant Acquiring Business, Wibmo – A PayU company.
However, he says, in the long run, tokenisation will ensure greater security for any recurring subscription payments initiated by a customer or merchant with greater customer controls to see the list of merchants where the card is stored and the ability to delete or suspend the subscription if needed.
Adoption of digital payments
Over the past few years there has been a significant increase in the number of online transactions and digital payments. According to the RBI, there has been an increase of over 500% in merchants accepting digital modes of payments during the half-year ended September 2021 compared to half-year ended March 2019.
“We have experienced the convenience digital payments offer through frictionless payments at a single click for most repeat transactions where the card is stored at our favourite restaurants, groceries and entertainment sites. The underlying technology that makes it possible could also be a weak link from a security standpoint if not implemented well,” says Ravi Battula. Tokenisation ensures standardisation for such card-on-file transactions through higher security standards, which are irreversible as compared to existing reversible cryptographic standards, he adds.
Initially limited to mobile phones and tablets, this facility was subsequently extended to laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, among others. Customers also have the option to register/de-register their card for a particular use case, i.e., contactless,
QR code based, in-app payments, etc.
All the merchant and acquirer processing systems, as per the mandate, need to provide and process tokenised card data. Hence the online payment eco-system is strengthened to safeguard consumers’/cardholders’ data, says Srinivasan of FIS.
“There can be a one-time hassle for cardholders for registering their card with respective merchant systems,” he adds.Also, apart from this, industry stakeholders can devise alternative mechanisms to handle recurring e-mandates.