RBI's card-on-file storage restrictions rules – is tokenization the answer?

In the light of the recent discussions regarding RBI’s decision to forbid card-on-file and storage of card details by merchants or payment aggregators, Ram Rastogi, a thought leader in the payments industry, explains the impact of these new changes over the merchants and customers

The context

The Reserve Bank of India (RBI) has released its revised guidelines on online data storage. Upon the update coming into effect in January 2022, cardholders may have to enter their 16-digit card number every time they shop online as opposed to entering the one-time password (OTP) and card verification value (CVV). The RBI is proposing another rule change that regards banning the storage of payment card numbers by online merchants, payment aggregators, and ecommerce websites.  According to RBI, ‘while the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.’ This decision has caused a lot of noise within the payments industry, with several players worrying that the customer experience might be affected. At the same time, tokenization has been brought into the discussion as a solution to the friction that might be added when entering payment details at the checkout. 

Why are these changes necessary?

In India, digital payments are used by nearly 300 million consumers out of a vast population of 1.37 billion people. The COVID-19 pandemic has further pushed the impetus of digital payments, so we can expect in the future an even accelerated, with many first-time users adopting digital payments and significant uplift by merchants. RBI has found that the more the number of transactions grows – on average 6 billion transactions per month – fraud could also grow proportionally, and this is an alarming problem for the entire financial ecosystem in the country. From 2019 to 2020, card fraud has increased by 14% CAGR, while in the last three years has increased by 34%. Moreover, several merchants have started storing cardholders’ data and sharing them with third parties, but this is an action that one must make once they are certain that those data won’t be misused. It is also worth mentioning that a lot of big banks, especially acquirers, had in the past their data sold on the dark web. 

The card-on-file initiative created by card schemes is not enough. Therefore, RBI has decided to use tokenization of card details, and thus avoid the misuse of sensitive data. Card tokenization is a process of substituting sensitive customer data (such as card number, CVV, etc.) with an algorithmically generated token (encrypted) by a token service provider, which could be the card issuer or payment network. These tokens flow through the payment systems in a secured way without disclosing the customer details or allowing the payment intermediaries (e.g. merchants, payment aggregators) to store customer data. Card-on-file (CoF) tokenization provides two key benefits: consumer and ecosystem security, and an enhanced checkout experience. 

RBI had recently issued a final circular making card tokenization mandatory from 1 January 2022. As per the latest country’s central bank guidelines, only card schemes and card-issuing banks have access to and can store cardholders data, while merchants and payment aggregators can keep the data only in a tokenized format. 

In my opinion, this decision that is being discussed for over a year now, should have a positive impact on the industry, strengthening the security of transactions and data privacy, and this way creating a safe and growing environment for digital payments. There is a lot of misknowledge within the industry, though, regarding tokenization. 

Will the customer experience be affected? 

A few leading payment aggregators used to store consumers data but their ‘security shields’ were weak enough to be hacked, and this is exactly what happened. One of the leading acquirers in India lost 10 million data from their active users. With tokenization, this cannot happen, because while making a purchase, either online or in-store, card details are moved to the card issuer that decrypts the token to validate the card number is real and then moves the data back in the token format. This way, card details cannot be compromised with third parties. The seamless experience is not compromised in any way, so the new rules won’t make any difference on the consumer side.  

How to best prepare for these changes? 

Tokenization is not a complex process, and major card networks such as Visa and Mastercard already have the utmost expertise in this area, so merchants that work with them should rest assured that everything is well handled by the card schemes with no additional costs. Moreover, the merchant acquirers are providing the entire infrastructure (the POS in store, for example). So if there are any changes to implement or technology updates to make, the acquirer should take care of this.

About Ram Rastogi

Ram Rastogi is a digital payments strategist, thought leader in financial services, regtech, public policy and payment and settlement systems, also mentoring various fintech startups in India and the US. He has banking experience of three decades with State Bank of India (SBI), as a senior executive driving its Strategy, Business Development, ATMs and Emerging Payment Systems and later as a Head of Product Development with National Payments Corporation of India (NPCI) since its inception. Member of several Digital Financial Inclusion Committees constituted by Indian Government and Reserve Bank of India (RBI). Played a significant role to assist the Committee on 'Comprehensive Financial Services for Small Businesses and Low Income Households' to draft a vision document for financial deepening in India.