With the deadline to implement an RBI norm that prohibits payment gateways and payment aggregators from storing customer card details closing in, consumer tech start-ups are a worried lot.

Accepting the diktat could reduce the ease of payments for half a billion Internet users in India.

This could even increase barriers of entry for the next billion Internet users who are just getting hold of technology services like food delivery, online retail, and on-demand video streaming.

The RBI had suggested tokenisation as a measure for non-bank payment aggregators to replace actual card details of customers with an alternative code termed as ‘token’. The token has to be unique for a combination of card, token requestor (an entity that accepts tokenisation request from the customer and sends it to the card network to issue a token), and device.

The safety provided by tokenisation is that if a company is hacked, the hacker cannot use that data for another platform.

One device, one card

But in tokenisation, the consumers will only be able to use one card to make transactions on one device. Each platform will generate a unique token corresponding to the user’s card and device.

On the challenges attached to tokenisation, Rameesh Kailasam, CEO of Indiatech, told BusinessLine , “The ecosystem may not be ready for such measures, because companies will be expected to create a token with each payment aggregator/payment gateway which will override the intent of recurring payments. Essentially, customers will not have the feasibility of placing repeat orders, making EMI payments, and standing transactions against their card.”

The RBI rule on stopping card storage was initially given an implementation deadline of July but was later extended to January 2022 following industry demand.

Indiatech.org, an industry association of Indian start-ups including Ola, hike, Makemytrip, and Nykaa among others, has recommended that companies that are able to afford industry certifications like Payment Card Industry Data Security Standard (PCI DSS) Level 1 be allowed to save customer’s card details with necessary reporting and audit mechanisms built to inform the RBI. Further, it suggested that beyond-device tokenisation should be allowed.

The central bank’s motive to bring these rules was to guard customer data against frequent data breach cases in tech companies. Cybercrime cases in India have grown exponentially since the pandemic. Per data shared by the Union Minister of State for Home Affairs, G Kishan Reddy, in the Lok Sabha in March, between August 30, 2019, and February 28, 2021, as many as 3.17 lakh cybercrime incidents were registered on the National Cyber Crime Reporting Portal.

Data security

Commenting on the relation of data security issues with companies’ storing customer card details, independent security researcher, Rajashekhar Rajaharia said, “Storing customer data is not what leads to data breaches. It is weak and, in some cases, outdated encryptions used by the Internet companies that expose them to data leaks and hackers.

“In addition to this, the Indian government also needs to conduct data audits of companies as done in countries like the US and Europe,” he added.

comment COMMENT NOW