As the Reserve Bank of India (RBI) takes fresh measures to protect the customers’ card data at the end of merchants and payment aggregators, the Alliance of Digital India Foundation (ADIF), representing over 250 digital startups, has told Inc42 that although the central bank’s move is welcomed, the method of securing the card data should not put startups at a disadvantage with global players.
According to Sijo Kuruvilla George, Executive Director, ADIF, ‘Card on File Tokenisation’, which is the proposed method by the RBI to safeguard customers’ data, will not allow payment aggregators and merchants to store card data and will instead replace the card data with a tokenised value.
“However, this solution has limitations which will need to be addressed for seamless transition from status quo. This solution does not address key use cases, where card details need to be available or shared with upstream or downstream partners today,” George said.
“Care should be taken that the business practices that need to be adopted for our startups to be in compliance with norms do not disadvantage startups to be at par and compete efficiently with global players operating out of other geographies,” he stressed.
Among the key concerns raised by ADIF are: EMI transactions require offline file submission to banks with card details; banks use this detail to convert cards transactions to EMI and merchants use the first 6 digits of the card to determine the network, issuer, card type, et al to surface bank offers to their customers.
“Card Vaults would provide the same protection and could be a better solution as it will also allow more players in the ecosystem to participate through the secured RBI licensed banks,” George told Inc42.
What are Card Vaults
Partner banks offer a secure vault system where individual card numbers would be encrypted and stored with a unique reference no or token for each card, which is device agnostic.
The saved cards would, therefore, be aliased and returned in the form of tokens by the Bank to the merchants and payment aggregators. Payment aggregators’ existing saved cards would be moved to their partner bank’s vaulting service, allowing existing users to continue to transact seamlessly using underlying secure tokens issued by the bank.
Payment aggregators would store and manage the association of these cards with their customers and/or merchant’s customers to which the card belongs to in the form of a token returned by the bank.
Keep Larger Objective In Sight
Late last month, the RBI extended the scope of tokenisation from mobile phones and tablets to include all consumer devices like laptops, desktops, wearables, and Internet of Things (IoTs), etc.
The aim was to guard customer data against the growing incidents of data breaches the Indian tech sector has witnessed in the recent months.
“It is great that the RBI wants to protect Indian users’ payment data and we are completely in alignment with this objective. However, the larger objective and advocacy remains this; we should strive for solutions that best address the needs for privacy, lower compliance costs and seamless user experience,” George noted.
“The difference of opinion we have (with the RBI) is regarding the method of securing customers’ data,” said George.
The ADIF, that has founding members like Paytm, MapMyIndia, Innov8, matrimony.com and others, has already submitted a letter to the RBI, stressing that payment aggregators and payment gateways appear unlikely to be prepared for compliance with the RBI norm by December 31, 2021.
“The issuers and networks will likely need to do some work before the ‘card on file tokenisation’ solution is ready. Similarly, once these are addressed, payment aggregators will need time to integrate and make this work with upstream and downstream partners,” ADIF said.
Not only the ADIF, the Payments Council of India (PCI) had also said earlier that it was also closely working with the RBI on possible security solutions to protect users’ card data.