RBI’s tokenisation facility to help customers make recurring, one-click purchases

There is good news for credit card and debit card customers who make recurring and one-click payments via debit card and credit card on merchant sites for buying consumer durables, groceries, and paying subscriptions for OTT and other services.

ISSUE & HISTORY
 
The RBI has banned the storage of customers' credit card and debit card details by the payment aggregators, and online merchants from January 01, 2022.  The deadline was extended from July to December 2021 and there is no further relaxation.
 
IMPACT ON CONSUMERS
 
There will be transaction declines on recurring payments where people have taken annual subscriptions. The card data stored in e-commerce sites will also be disabled.
 
The customers will be asked to fill in their 16-digit card number, card expiry date, and also the CVV, which is a card verification value every time they do an online transaction.
 
No more one-click faster checkouts from merchant sites.

 
REASONS FOR RBI'S BAN
 
The merchants, payments aggregators, and even payment gateway players, who get to store the card data, are not registered with the RBI. The objective of the RBI's diktat is to create a better security framework for digital transactions, which have accelerated post the pandemic.
 
There are frequent data breaches reported in payments companies exposing customers' financial and personal details. The possibilities range from theft and hacking to misuse of the data.

 
SOLUTION / ROAD MAP
 
The industry was long demanding solutions like tokenisation, which actually means hiding the card details and replacing them with one-time tokens or codes. Under tokenisation, the card details are stored only with the card network like Visa and Mastercard and card issuing entities, which could be a bank or an NBFC.
 
Tokenisation was earlier restricted to only a handful of devices like mobile phones, laptops, and tablets. The RBI has now taken two sets of measures for helping customers in faster checkouts at merchant outlets. 
 
A month ago, the RBI extended the tokenisation to newer modes like wearable devices like wristwatches and bands. But this was not enough as tokenisation is linked to a single device of the customer and hence he could pay only from that particular device. Customers, however, use multiple devices. So a payment from a mobile device for OTT cannot be done from, say, a tablet or vice-a-versa.
 
RBI has now allowed  'tokenisation on file' which allows the data to flow in a file. This will not link the device to the payment; instead the data will flow on a tokenised file.
 
Apart from card networks, the card issuers like banks and NBFCs are also allowed to issue tokenised files.
 
CHALLENGES FOR PAYMENT PLAYERS
 
All the participants in the chain from the card network, issuer, payment aggregators, and merchants have to be ready with the technology to accept tokenised files. This will certainly require some investments.
 
There are many smaller players in the chain, especially payments aggregators and merchants, who will need time to tie up with the card network to seamlessly receive the tokenised files.
 
The banks as card issuers will also have to be ready with technology infrastructure for tokenised ecosystem.

Also read: RBI expands 'tokenisation' facility to CoFT services after device-based framework