SUMMARY
The RBI guidelines forbid merchants, payments aggregators and gateways and other parties other than card issuers and networks to store real card details, however, it allows card issuers to issue tokenised card services instead
The new NPCI system will solve this issue by creating Tokens that merchants can use to validate payments without storing customer data
Small businesses and startups reliant on revenue from subscriptions have been hit hard by the new guidelines
National Payments Corporation of India (NPCI) has announced the launch of the NPCI Tokenisation System (NTS), which will tokenise and mask the real RuPay card details (CoFT: card-on-file tokenisation). With the NTS, RuPay cards can be tokenised to protect customer data and privacy.
The NPCI was incorporated in 2008 as an umbrella organisation for operating retail payments and settlement systems in India. The NCPI created many popular retail payment products, including the RuPay card, Unified Payments Interface (UPI), Bharat Interface For Money (BHIM) and Immediate Payment Service (IMPS).
According to RBI’s new Payments Aggregators and Payment Gateways guidelines set to take effect in January 2022, merchants aren’t allowed to store customer card data. This means that customers will be forced to enter their sixteen-digit card numbers and CVV each time they renew their subscription or make a new payment.
However, the central bank vide circulars of January 2019 and August 2021 granted card issuers to issue card tokenisation services after receiving explicit customer consent.
Based on RBI mandated guidelines, sensitive customer information will be stored as an encrypted token that can be used to secure transactions. Payments can be processed with these tokens without disclosing customer details or allowing intermediaries to store customer data.
Using NTS, banks, aggregators, merchants, and other payment intermediaries can get themselves NCPI certified, allowing them to play the role of ‘token requestor’. The token requestor can then use the Token Reference On File (TROF) to authorise payments from the card-issuing authority.
In theory, this means that businesses can renew their customers’ subscriptions without forcing them to reenter transaction details and without storing their data which would go against the RBI guidelines.
But the safety and security of the new NTS in practice is yet to be ascertained.
Kunal Kalawatia, Chief of Products, National Payments Corporation of India said, “We believe that this unique Card-on-File Tokenisation solution will not only safeguard customers’ confidential data but will also further strengthen the overall digital payments environment.”
In March this year, NPCI partnered with SBI payments to launch a RuPay Software Point of Sale (SoftPoS) solution for Indian merchants which can turn NFC enabled smartphones into PoS terminals for retailers.
