The Reserve Bank of India (RBI) through its various circulars in March 2020 and 2021 prohibited storage of customer card details by merchants and payment aggregators and issued necessary directions in this regard. While this directive from the RBI is right in intent, it leads to a blanket prohibition for service provider merchants from storing customers’ financial information, even when the said merchants may have the requisite security norms in place or may intend to have one for the same, thereby affecting smooth flow of online payments.

For customers this would mean that for each and every transaction hereafter, they will need to enter the type of payment, card type, full name, 16-digit card number, expiry, etc., before reaching today’s stage of entering CVV and password/OTP. So whether you are booking food online, hailing a cab, booking any ticket, subscribing to any service or buying some product online, whenever you use a card this may become the process hereafter.

A potentially (unintended) consequence of this directive is that “ease of payments” in the periodic/monthly subscription-based models will significantly get affected and would require customer intervention every month to renew their subscriptions whether for insurance, utility services, education, media and entertainment, news, journals, curated boxes and experiences, etc., all of which may experience friction in payment experience. The RBI had deferred the implementation to January 1, 2022, after significant industry and consumer representations.

So what are the solutions available to end this likely chaos that the industry and its consumers may be heading towards? The answer lies in two possible ways without inconveniencing the end-consumer. One, allow all PCI DSS Level 1 certified entities to store the basic minimum card data (including merchants and payment gateways) and the second would be to extend tokenisation beyond devices as one person may use multiple devices to effect payments.

Storing basic data

PCI DSS is governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. The PCI SSC outlines 12 requirements for maintaining a secure network and cardholder data. These include having firewalls, system generated passwords, encryption of transmission of cardholder data across public networks, vulnerability management, anti-virus measures, secure systems and applications, access control protocols, unique ID allocations around access, restricted physical access, network monitoring and testing, tracking and monitoring of cardholder data and network resources, information security, and so on.

Level 1 merchants also invest additionally in establishing strict controls in their environment over card data access and proactively farm for opportunities to bolster card data security further.

In addition, Level 1 merchants also meet around 80-100 rigorous security requirements and undergo an onsite audit conducted by an authorised PCI auditor once a year with respect to storage, processing and transmission of sensitive card data. Many Level 1 merchants use card data to analyse fraud risk, build fraud mitigation tools and strategies, and optimise payment functionality such that consumers are able to make seamless payments. However, the RBI’s current restrictions on card-on-file data storage would also prevent merchants from leveraging this data for fraud and risk mitigation, refunds and redress of consumer grievances.

Extend tokenisation

For entities in the industry who may not be aligned to/compliant with the PCI-DSS process, the RBI may consider the alternative of tokenisation. The term tokenisation literally means to substitute, so in the online payments universe “tokens” are generated to protect sensitive customer and card data by replacing them with machine generated algorithmic alphanumeric ID. Hence through tokenisation, merchants can move data without exposing sensitive data. Tokens outside a particular online app or portal have no value and are useless for hackers as they will not be able to use them elsewhere.

Most of those in the card industry, including the RBI, seem to be allowing device tokenisation as an alternative. However, it is important to understand here that from a practicality standpoint, device tokenisation may not work in all use cases, like subscription businesses and payments that are device agnostic. Also, building card-on-file tokenisation will involve infrastructure development by multiple stakeholders in the digital payments ecosystem including but not limited to card associations/schemes, acquiring banks, issuing banks, payment aggregators and merchants.

This can translate into a long-drawn process and may still not meet the “ease of payments” experience and will be also dependent on the ability and willingness of each issuing bank to adopt complex and comprehensive payment infrastructure which is costly and time consuming. Therefore, while tokenisation is ideally not the best fit for a PCI DSS card-on-file storage but rather complements it to an extent, complete prohibition of card-on-file storage is not in the best interest of stakeholders and will severely impact the goal of the government and the industry to drive digital payments and lead to disruption in customer experience, security and may likely promote monopoly.

The writer is CEO & President of IndiaTech.org

Related Topics
comment COMMENT NOW