Under tokenisation, a customer’s card data is replaced with a unique ‘token’ number. This ensures that the card information remains masked and helps prevent data theft and frauds.
The Reserve Bank of India (RBI) in March 2020 released guidelines to regulate payment aggregators (PAs) and payment gateways (PGs). And as the December 31 deadline for implementation of these guidelines comes closer, digital payment fintechs are grappling to find a solution for one particular clause.
As per the guidelines, PAs and merchants shall not store card credentials of customers in their database. Unless an alternative solution is implemented, this may mean that customers who wish to use their credit or debit cards will have to enter details afresh for each transaction – including their 16-digit card number, card expiry date and card verification value (CVV).
Additionally, the guidelines mandate that all PAs shall be authorised by RBI. For this, the regulator instructed non-bank companies offering PA services to apply for authorisation by June 30, 2021, which was later pushed to September 30.
So why are fintech players, e-commerce and other aggregators lining up for this license and what is the industry doing to solve the deadlock on the clause of contention?
PAs, PGs & RBI’S LICENSE
A PA provides payment services for merchants and e-commerce sites by accepting payment instruments from customers. As part of the process, PAs pool the funds received from customers and transfer them to merchants after a certain time period.
PGs on the other hand simply provide technology services to businesses for processing transactions. They do not have any involvement in handling of funds.
On why companies require this license, Sahil Kini, Co-founder and CEO of Setu explained, “At present, the RBI has its energies focused on non-delivery versus payment (non-DvP) transactions, which is where a product or service is delivered to the customer after the payment is received by the merchant. All e-commerce transactions would fall within this category.”
In such cases where payments are received before the delivery of the product or service, the intermediary collecting this payment and paying out merchants has to be a licensed payment aggregator.
“Obviously, all the PGs will require a PA license to continue servicing e-commerce use cases. If you don’t get it, then you’ll have to either have a tie-up with a bank who can aggregate payments on your behalf, driving up costs for payment collections services. Or, you will have to depend on a PA, leading to more business for these licensed entities,” Kini added.
A source within the RBI confirmed that a host of companies have already applied for the license. “Around 30 applications have been received for the PA license. Most companies will choose to apply because without the license their costs will go up. The number will of applications is likely to increase closer to the September 30 deadline,” he said.
While he refrained from naming the companies, reports suggest that players like PhonePe, BharatPe, Razorpay, Cred, Tata Group, Amazon, Reliance Industries, Zomato, PayU, and Pine Labs among others have submitted applications.
THE CARD DATA IMPASSE
While the industry concurs with the RBI’s concerns over storage of card data, it has been pushing for an alternate solution for customers to continue using cards seamlessly even after guidelines are implemented.
Gaurav Chopra, Executive Director of the Payments Council of India (PCI), an industry body of digital payment players, said, “PCI has requested RBI to come up with guidelines for the card on file solution like tokenisation or reference number, so that it can be adopted by the industry.”
Under tokenisation, a customer’s card data is replaced with a unique ‘token’ number. This ensures that the card information remains masked and helps prevent data theft and frauds.
“The challenge with tokenisation today is that while Mastercard and Visa are preparing for it, RuPay as a network does not support tokenisation yet. Until RuPay starts supporting it, there will be a big gap,” said an industry source.
He added that the industry is in talks with RBI to provide options other than tokenization, or to push the deadline further so that all card networks can support tokenization at the time of the implementation of these guidelines.
“The matter is under discussion at the RBI, they will come up with some suitable solution. RBI’s aim is to ensure a secured gateway for all payments for customers. If we are encouraging the PA ecosystem, we will have to create an enabling environment to facilitate the use of these platforms and in-turn increase transaction volumes,” said the earlier mentioned source within RBI. ?