automatic payment wound healing
Many of you may have received several communications from your banks in September informing you that automatic payments for your online subscription may be discontinued from October 1, 2021, and will require re-registration. This was because in 2019, RBI had introduced a mechanism to register automatic payments online. The system requires that banks do not allow Recurring Payments Unless the e-mandates were registered under the new system.
Prima facie, two years seems to be enough time to implement the new regime. However, the reality is that, reportedly, more than 70% standing instructions failed on October 1, 2021, and many continue to fail. This is mainly because banks did not implement the required infrastructure in time, as they were not legally mandated by the RBI. The affected consumers were: their subscription payments were disrupted and many were not able to re-register under the new regime. This forced users to process payments manually, which reduced the success rate of payments and resulted in loss of revenue for merchants.
New puzzles to tackle on New Year’s Day
Under a separate set of instructions regulating payment aggregators, the RBI has stipulated that with effect from January 1, 2022, neither payment aggregators nor online merchants can store customers’ card details and related data. The RBI further clarified in March this year that merchants cannot store “payment data” without defining or clarifying the meaning of such a term and the scope of the data it includes.
Tokenization is the talk of the town
The storage restrictions will require users to fill in their card or other payment instrument details for each online transaction. Filling in manually will impact payment latency rates, user experience, consistency of customer service and online merchants’ revenue. Also, auto-recurring payments will not be possible. This will disrupt online subscription services, whether the services are for the personal enjoyment of the consumers or to earn a living. Examples include domain registration and web-hosting services.
To overcome this inconvenience, Card-on-File (COF) tokenization may be considered. The system involves the creation of a unique token that is device-independent and contains the details of the card, token requester and merchant. This token can be used to conduct transactions without sharing card details, making the process secure. However, tokenization comes with its own set of challenges.
Patience is the key to efficiency
Tokenization involves multiple stakeholders, including merchants, token requesters, payment aggregators, token service providers, card networks and banks, and in some cases, technology infrastructure or service providers. While RBI imposed restrictions on data storage in March 2020, COF tokenization was allowed only in September 2021. The stakeholders have essentially only three months to design, implement and test the practical infrastructure, which is not remotely enough. One weak link will cripple the entire infrastructure.
Industry players say that even if banks are ready with their technology integration, merchants will need at least six months to integrate their systems for COF tokens. This additional time is critical for traders to perform the necessary tests on the new infrastructure for robust system functionality, security and performance.
operational constraints
Additionally, some operational challenges need to be overcome.
One issue pertains to the need to purge existing data, which can lead to a merchant having trouble initiating refunds, redressing complaints and offering rewards or incentives to users who register their payment instrument details through tokens. are not able to. RBI should set a transitional timeline to purge card data to prevent service disruption for merchants as well as consumers.
Secondly, tokenization of users’ payment instruments (such as credit cards) requires their consent and additional verification, and the same process is required to replace or renew the instrument. This appears to be difficult as a user who receives a new card will need to re-register it, however the new card has the same cardholder details as the old card and will be linked to the same bank account and customer ID. Is. Reserve Bank of India should consider relaxation in re-tokening of renewed/changed cards linked to the same user account.
Third, RBI has clarified that the last four digits of the card and the name of the cardholder can be stored for transaction tracking and reconciliation purposes. However, the first four or six digits that identify the bank (BIN) must also be stored in order to identify the issuer. RBI should allow the bin to be stored at least for security, tracking and reconciliation purposes.
Fourth, banks that have received repeated nudges from the RBI and industry players should be mandated to implement the necessary infrastructure to enable tokenization.
The industry awaits much-needed clarifications from RBI, and these may be released in the form of easy-to-understand FAQs.
Gauri Gokhale is Head-IP & TMT, Fintech; Huzefa Tawawala is Head – Disruptive Technology Practice & Fintech, and Aaron Kamath is Leader TMT and FinTech at Nishith Desai Associates.