“The regulator is of the view that merchants storing credit card data would cause cyber security risks to the consumer and they do not have any locus standi as these norms pertain to payment aggregators and gateways,” said an official in the know.
RBI, Amazon, Microsoft, Netflix, Flipkart and Zomato did not respond to ET’s emailed query.
These level-1 merchants collectively transact with 250 million customers who carry out digital transactions including recurring transactions. Merchants in a February 1 letter to the RBI had argued that forbidding merchants to store card data will disrupt a system that has been functioning seamlessly. The merchants also represented their banks, payment aggregators and network operators like Visa and MasterCard also support storage of customer data.
The new RBI guidelines bar merchants from storing “customer card and related data” on their servers. The guidelines also bar payment aggregators from storing customer card credentials within their database or the servers assessed by the merchant. Industry experts claim that not allowing merchants to store card data will not only inconvenience customers but also disrupt the digital payments ecosystem leading to system fragility issues.
“The most significant unintended consequence of this restriction on storage of customer cards and related data is that it makes the payments ecosystem systemically fragile,” said Mandar Kagade, founder principal, Black Dot Public Policy Advisors. “Owing to this restriction, merchants and PAs will be constrained to call the API of a bank for authentication every time a customer executes a transaction. Significant build- up of transactions at any issuing bank exposes the payments ecosystem to significant systemic failure risk.”
Experts argue that if these rules are brought in as-it-is customers will see increased friction in subscription-based services that require storage of card data to bill consumers on a recurring basis. Without the customer data merchants will have to ask the card information in every billing cycle which will result in business disruption. Top merchants that ET spoke with said that RBI should deter from taking a one-size-fits-all approach.
“Has the regulator even factored in the inconvenience this would cause senior citizens, such a decision has the potential to completely shut down the recurring payments business, shouldn’t the customer have the right to choose to store her data with a trusted merchant,” a level-1 merchant affected by the RBI norms said on the condition of anonymity. “Also since the regulator has been recognising the PCI-DSS standards as the applicable benchmark, we have been investing to strengthen our infrastructure. Now, to suddenly disregard its own past stand is quite arbitrary.”
Payment Card Industry Data Security Standard (PCI-DSS) is globally considered the best way to safeguard sensitive card data. Even the RBI, in its Payment And Settlement Systems In India: Vision – 2019-2021, has recognised PCI standards as “a desirable best practice by all the entities”.
There are concerns expressed by experts on second order implications of the move which could hinder payment refund flows, targeted promotions by merchants through coupons and even impact recurring payments through auto-mandates.
According to Raman Khanduja, the chief executive of MintOak, a payment platform for merchants, the guidelines also leave scope for more clarity, especially in whether PGs who also act in the capacity of PAs would be allowed to store card data.
“There are only two pure play payment gateways in India which are run by Visa and Mastercard. It’ll be interesting to see how these rules will be applied to other gateway businesses that also double up as aggregators,” said Khanduja.
Mihir Gandhi, payment transformation leader and a partner at PWC said that the move could see an adoption of tokenization technology by banks which allows networks and aggregators to store card details in a scrambled form, masked by a token. “Visa, Mastercard and NPCI have been pushing for the adoption of tokenized technology for a while. One way to comply with the guidelines is to tokenize all the card details,” said Gandhi.
Another question raised by experts was the timing of the move, as India unlike western economies is still in the position of transitioning into a less-cash, digital society. More friction in the payments process could act as a deterrent.
“Most of the top merchants and aggregators are PCI-DSS compliant which is an industry best practice for card data storage. The merchants like to store their own data owing to potential concentrations risks of gateways aggregating customer data. The new rules don’t provide any clarity on these concerns,” said Sandeep Srinivasa, the chief executive of RedCarpet, a
startup.