SUMMARY
Under an RBI mandate, w.e.f January 1, 2022, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data
In compliance, Google Play stated that if Visa and Mastercard users moved to tokenisation, their services will not be affected. However, other players in this space including Rupay, American Express and other cards currently don’t support the mechanism
While this move will hinder user experience in the short run, the new guidelines are aimed to ensure user financial safety in the long run
Aimed at regulating India’s fintech ecosystem, the Reserve Bank of India (RBI) has brought in a slew of changes in the past few years. The recent one among them was aimed to regulate payment aggregators (PA) and ecommerce merchants, restricting them from storing card data. In compliance with the same, Google Play has announced that it will not collect card data and asked its users to move towards tokenisation of cards to maintain a smooth flow of transactions.
The RBI mandates stated, “With effect from January 1, 2022, no entity in the card transaction or payment chain, other than the card issuers and card networks, should store the actual card data. Any such data stored previously will be purged.”
Ahead of the looming deadline, Google has announced that it is in compliance with the RBI’s mandate and that users would have to re-add their data every time they want to make a payment, unless they move on to tokenisation. Google’s Play Services stored card data for users signed up for Google One, Workspace, or other premium/paid features. It also allows payments for Play Store’s in-app purchases.
The tech giant has stated that if Visa and Mastercard users of Google Play moved to tokenisation, their services will not be affected. Currently, other networks such as Rupay, American Express, etc are not included in Google’s tokenisation list since they don’t support the mechanism.
Tokenisation involves replacing actual card details with a unique alternate code — ‘token’. The novel feature would be a combination of card, token requestor and identified device, with card networks such as Visa, Mastercard and others at the centre of payment services.
A few weeks ago, PhonePe, in accordance with RBI’s guidelines, announced the launch of its SafeCard — a tokenisation solution for online debit and credit card transactions. PhonePe’s SafeCard will make recurring payments convenient and safe, by allowing payment providers to save cards using tokens. This solution supports all major card networks such as Mastercard, Rupay, and Visa.
Delhi NCR-based fintech PayU on the other hand launched “PayU Token Hub”, enabling businesses to comply with RBI’s guidelines on online card data storage whilst allowing issuing banks to also generate their own tokens.
Effect On The End Consumer — Does Google Pay & UPI Get Affected?
Many industry players have raised red flags over the ecosystem, but every event has a silver lining. Explaining how the ecosystem would be affected, Manas Mishra, chief product officer, PayU, states, “The framework of the mandate is meant to ensure the safety of the end consumer. Recent data breaches, online frauds, are some events that have caught RBI’s attention. And while merchants and payment aggregators will be affected, the time is ripe for a new payment infrastructure.”
He also mentioned that since UPI does not rely on storing card data for transactions, but through an ID of its own, the new rules would be uplifting the UPI ecosystem. It would also mean more merchants accepting (non-recurring) payments via UPI, until the move to tokenisation is complete — which would still take another 8-10 months, Mishra tod Inc42.
The parties to RBI’s mandate include the bank, the card issuer, the merchant/the payment aggregator and the end-user. The regulation does not affect banks negatively and the card issuers such as Visa, Rupay and the likes will not likely be affected. As for a payment aggregator such as Google Play (who process payments made by customers digitally) or SaaS platform (on which a user opts for recurring payments), their customer transactions will be reduced unless the users/networks have moved to tokenisation.
For customers, the movement is likely to hamper the user experience for a few months, but since they are aimed at security, new infrastructure will likely be more adoptive, Mishra explained.
The new rules, thus, will bring a disruption among merchants, where payments would be declined or cancelled as aggregators will no longer have card data stored with them.
