Buckling under mounting pressure from the payment industry, and to some extent from banks, RBI this month deferred the date of adoption of ‘Tokenization’ to June 30, 2022. This transition was to be effective from January 1, 2022, embracing multiple players such as payment merchants, e-commerce websites, streaming platforms, payment aggregators, and of course, banks.
Earlier, the RBI in September 2021 had mandated merchants of the payment industry to adopt Tokenization or the process of replacing the existing practice of card storage on individual servers by adopting card-on-file tokens. I will argue that by all accounts, this was a very sensible move whose necessity and desirability cannot be questioned and should only be lauded. Further, this long-needed mandate merits urgency and a sense of welcome from the affected industries.
What are the guidelines on Tokenisation?
Tokenisation can be explained as a replacement of a consumer’s actual credit and debit card details with an alternate code called the ‘token’, which will be generated uniquely from a combination of card, token requestor and device details. It is to be applicable to all domestic online purchases. A ‘tokenised’ card transaction is safer as actual card details are not stored with the merchant during the transaction.
Consumers retain the right to opt-out of Tokenization, but are heavily discouraged from doing so by the guidelines, as they will be required to key in their name, 16-digit card number, expiry date and CVV each time they order something online and cannot keep a card saved on file in the conventional sense.
Implementation of these directives will involve distinct manoeuvers; first, ‘Token Provisioning’, meaning converting users’ card details into tokens; second, ‘Token Processing’, enabling consumers to seamlessly and successfully complete the transactions. Finally, consumers should be able to use the token for things like refunds, EMIs, recurring payments, offers, promotions, guest checkouts etc. In the case of multiple cards, each will have to be tokenised.
The RBI policy change affects three major players: banks, intermediary payment systems and merchants. The new guidelines require them to delete all credit and debit card data stored on their platforms and replace them with generated tokens to secure the card details of consumers.
What is the preparedness for Tokenization?
Several key players such as HDFC Bank, ICICI and SBI Cards already have the card tokenisation system in use for online transactions, while few players have device-based tokenisation for contactless NFC (near field communication) payments, such as SBI Cards with Samsung. Other banks have already initiated the process and many are nearly ready with the new system. Recently, MasterCard and Google announced a rollout of Tokenisation that will enable Google Pay users to transact using their MasterCard credit and debit cards. As several banks also use MasterCard for transactions, they also can be said to be in a state of preparedness for implementing their guidelines.
It is mostly payment merchants who seem to be dragging their feet and seem bent upon delaying the process.
Where is the Industry today?
India has an estimated 100 crore debit and credit cards, which are used for about 1.5 crore daily transactions worth ₹4,000 crores. The 2020-21 Annual Report of RBI values the Indian digital payments industry at ₹14,14,85,173 crores. The last two years of the pandemic compelled dramatic expansion of online payments leading to an unprecedented burgeoning of online merchants, all contributing towards triggering, reinforcing and sustaining economic growth. And yet, the number of frauds and unauthorised transactions on account of unsafe data storage have also multiplied, affecting thousands of consumers of such services, most of them from the lower-middle-class or even from the lower economic sections of the population. There is no credible data on such frauds because most of them still remain unreported. But whatever data is available is enough to understand why RBI is insisting on this reform.
What are the objections to Tokenization?
Objections raised by the payment merchants are threefold. First, they claimed the industry was unprepared and needed more time to adopt new systems. Second, they argued that their backend systems needed additional time to develop. These first two objections convey a singular underlying assertion that without preparation, a half-baked system would seriously and extensively disrupt online transactions.
The final argument of the payment merchants is that the implementation onus of these guidelines will retard the fast and steady growth of the digital payment industry that has seen a remarkable expansion in recent years in India. In their representation to RBI, it was claimed that the online merchants may lose up to 20% to 40% of their revenues post 31 December due to Tokenisation, and pushing for these guidelines would sound the death knell for many of them, especially the smaller ones.
Why are these objections fallacious?
I believe the arguments against Tokenization or its quick implementation are hollow and fail to carry conviction. In fact, they are fallacious. The first objection that the industry is not yet prepared, is an omnibus argument. Rarely, in any real-world scenario, do industries voluntarily accept and adopt changes that require them to spend time, money and talent and do not profit them directly. Most reforms acquiesce only when pressed and implemented with strict timelines. Given the talent and enterprise in this industry as rightfully claimed by them, the given timelines were not unreasonable.
With an additional six months for putting in place the new system, their second argument also fails to carry any weight. All innovations and reforms bring about some level of disruption. Therefore, such disruption should be predictable, understandable and eminently manageable.
Their last argument also appears senseless. If the industry is growing and the merits of online transactions are evident and have been accepted by people at large, a more secure and safe system is in no way going to affect the growth or health of the industry. In short, while these objections perhaps merited some additional time to be granted, they do not justify delaying this reform anymore.
Conclusion – Why should the Industry accept the onus?
Advocates of delay have prophesied bringing India’s payment ecosystem to a standstill in 2022 if RBI hurries the implementation. Such prophesies, clearly motivated, are only causing harm to the growth and credibility of this promising sector. It is ironic, even self-defeating, to plead for the continuation of the existing system of data storage.
If the payment industry wishes, which undoubtedly it does, for the digital payment industry to grow exponentially and credibly, it is in their interest to introduce adequate safety norms, an important aspect of which is data storage. A dramatic growth that does not protect consumer interests, most importantly safety and protection of their data, cannot ensure sustenance. An ecosystem that offers possibilities of leakage and misappropriation of data will impede, retard and eventually diminish any growth irrevocably. This must be evident most to the industry itself.
One would be right to expect a willing and actively cooperative industry in this endeavour that will ultimately give a sense of safety and confidence to the consumers, millions of whom are waiting and willing to join the multitude eager to harness the ease and convenience of digital technology. The onus, more than the RBI, thus lies in the payment industry itself.
Views are personal. The author, Uday Kumar Varma an IAS officer, former secretary, Ministry of Information and Broadcasting and Ministry of MSME and was also an esteemed jury member on the SABERA 2021 Jury Board. You may also like his article Who will Watch the WatchDog and Digital Age: Future of Democracy
SABERA helps amplify Responsible Leadership and voices committed to GOOD.