Tech companies want two more years for tokenisation

Top technology and internet groupings are rushing to petition the country’s central bank seeking delayed implementation of its tokenisation mandate that requires online merchants to erase all stored payment details of customers by December 31. Global and local companies represented by trade bodies such as Nasscom and the Alliance of Digital India Foundation (ADIF) will seek a phased implementation of the new mandate and a minimum timeframe of two years for the transition, said multiple people aware of the developments.

Companies, which fear there will be “large scale” disruption and “mayhem” across online payments platforms beginning on New Year’s Eve, are asking the Reserve Bank of India to “not rush through the tokenisation mandate,” executives said.

“We are asking for more time, no one wants to wake up to mayhem on January 1,” said Sijo Kuruvilla George, executive director of ADIF, which represents companies such as Paytm and BharatMatrimony.

Others like the Payments Council of India said the RBI mandate calls for “a big systemic change” that requires a smooth transition. It will seek inputs from companies before approaching the RBI this week with a representation, officials said.

An abrupt transition to the new system, which requires all online merchants be it Flipkart, Google, Netflix or Paytm to wipe out stored card details of all customers by December 31 and take their consent for tokenisation, could shave off close to one-third of the digital industry’s revenues, according to ADIF. The industry grouping estimates this could lead to hundreds of small and medium merchants as well as payment operators being pushed out of business.

In September, the RBI amended its tokenisation framework– first introduced in March 2020–to include card-on-file data, this according to industry sources is the crux of the problem as they have not been given sufficient time for implementation.

According to the new rules, online shoppers must either key in their card details every time they make a purchase or consent to tokenise their card data through an additional factor of authentication (AFA). Online merchants and payment aggregators can store the last four digits of the actual card number and card issuer’s name, only after receiving specific consent.
Ashish Aggarwal, vice-president-public policy at Nasscom said, “Unless 80% of the cards used can be tokenized, the transition should not be forced.”

Tokenisation is the process of replacing the 16-digit credit or debit card number for mobile and online transactions with a unique digital identification known as a “token”, which is a random string of 16-digit numbers. It can enable a transaction without disclosing the cardholder’s account information to either the merchant or any intermediaries.

“There are huge challenges for merchants. Even if a particular bank or network is ready, it doesn’t translate into readiness of the entire ecosystem,” Aggarwal said

Short timeline
The tokenization mandate will impact both subscriptions as well as one-time payments and will pose a special challenge for online merchants required to process refunds. Hotel operators won’t be able to charge a no-show fee in case of a last-minute cancellation, industry members pointed out.

As the RBI has given the banks the choice to tokenise or not, with no penalty imposed on them if they don’t, Nasscom is requesting the banking regulator to allow banks and networks to first test and demonstrate their readiness following which merchants can transition to the new system.

“Expecting merchants to delete all card data in the absence of any viable alternative is not reasonable. RBI needs to publish the status of readiness and review the deadline for tokenization,” Aggarwal said. India On 24