Merchants seek six more months to meet card data storage norms

Say hasty roll-out may lead to disruptions,loss of revenue

Merchants want at least six more months to implement new card data storage norms as they feel any haste in enforcement may cause major disruptions, erode trust in digital payments and lead to a loss of revenue.

The system, including banking entities, is still not ready to comply with the Reserve Bank of India’s (RBI’s) card-on-file tokenisation deadline of December 31, 2021.

The Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF), in a letter to the RBI, sought phased implementation of the norms.

Merchants should get a minimum six months to comply after readiness of banks, card networks and payment gateways. There is also a need to create consumer awareness about the impact of the policy change, industry lobby groups said.

Vishal Mehta, chair of the governing council of MPAI, said: “As of today, only 80 per cent of banks are ready with provisioning of tokens on one of the card networks. Only 25-30 per cent of banks are on a second network.”

“The other networks are yet to make major strides on the provisioning front. But the readiness of processing of tokens is at zero per cent currently. Provision of tokens without the ability to process is like having a super secure wallet but without the ability to take or put money in it. It is useless,” Mehta added.

RBI’s objective of ensuring security and reducing fraud from the payment ecosystem through this policy change is a step in the right direction. But, there are several operational challenges that will hinder the transition to the token-based payments ecosystem, they said.

This policy change affects three major players: Banks, intermediary payment systems, and merchants. Merchants cannot start the testing and certification of payment processing systems until banks and card networks are certified. Also, they have to go live with a stable application programming interface (API) for consumer-ready solutions, they said in a joint letter.

The RBI, had in September 2021, prohibited merchants from storing customer card details on their servers with effect from January 1, 2022. The regulator mandated the adoption of tokenisation as an alternative to card storage.

Sijo Kuruvilla George, executive director, Alliance of Digital India Foundation, said if banks are lax on preparedness, the brunt will be borne by merchants in the form of loss of revenue.

The revenues losses could be anywhere between 20 and 40 per cent at the minimum.

The unpreparedness will impact recent digital payments adopters even deeply. The frequency and intensity of phishing attempts will go up as entire card details are to be entered for each transaction. This will cause a significant increase in irreversible fraudulent transactions, Mehta said.

MPAI represents merchants accepting digital payments, which include players like Netflix, Microsoft, Bookmyshow, Spotify, Disney+hotstar and Policybazaar, among others.

Disruption of this nature erodes trust in digital payments. It brings back consumer habits to cash-based payments.