Clarification on merchant onboarding requirements under the Regulation of Payment Aggregators and Payment Gateways
Based on feedback from industry, NASSCOM recently made a representation to the Reserve Bank of India (RBI) on a particular ambiguity in the Guidelines on Regulation of Payment Aggregators (PA) and Payment Gateways (PG) published by it on March 17, 2020 (Guidelines).
This pertains to merchant onboarding requirements under Sections 7.3 and 7.4 of the Guidelines. The provisions in the final Guidelines are:
“7.3. PAs shall be responsible to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded.
7.4. Merchant site shall not save customer card and such related data. A security audit of the merchant may be carried out to check compliance, as and when required.”
Our understanding is that merchants who comply with PCI-DSS and other applicable requirements in the Guidelines can continue to store customer card data. However, the provision are drafted as separate sections in the Guidelines and result in ambiguity, leading to an interpretation that merchants cannot store card data despite PCI compliance.
Such an interpretation would be contrary to the paragraph 6.6 of Annex-1 of the Discussion Paper published on the RBI website on 17.09.2019 which clearly stated that merchants can store card data as long as they have customer consent and their infrastructure for storing customer payment data and connecting to the aggregator is PCI-DSS and PA-DSS compliant on an on-going basis.
Below are the industry concerns in case merchants are prohibited from storing card data below:
(a) Card data security: Merchants who achieve certified compliance to these PCI standards meet the same rigorous technical requirements and compliance validation completed by acquirers, PAs, issuers and any other entities handling card data. The RBI, in its Payment And Settlement Systems In India: Vision – 2019-2021, has recognized PCI standards as “a desirable best practice by all the entities in a payment transaction chain, irrespective of their status as a regulated entity or otherwise (emphasis added)”.
The RBI has also previously required PCI-DSS compliance for all acquiring infrastructure operational on IP based solutions by acquirers, processors/aggregators and large merchants (Reference). Prohibiting merchants from storing card data despite compliance with PCI standards does not improve the safety of cardholder data and trust in the payment ecosystem. On the contrary, storing card data for all merchants on payment aggregators can lead to customer data getting consolidated across very few PA systems, which could make the customer data more accessible and vulnerable to data breaches.
(b) Fraud Risks: Merchants use card data to analyze fraud risk, build fraud mitigation tools and strategies. Today, most merchants have robust risk assessment frameworks to control frauds on their platforms, which have been built in collaboration with banks and payment system operators. Many merchants collaborate directly with issuers and others in the payments ecosystem to proactively mitigate fraud, track fraud patterns and help implement instant response and recovery actions. Without card data, merchants cannot engage in such crucial fraud prevention measures, which will have a huge impact on consumer confidence and adoption of digital payments.
(c) Merchant locked in with single PA: The card storage related requirements, will force the merchants to work with a single PA, which shall have the customer card data. Merchants will lose the ability to work with multiple PAs and will have difficulty switching aggregators even when faced with poor service or other issues like security concerns on the PA’s side. Decrease in competition and control in the hands of a few players in the market will directly impact cost for consumers and reduce any incentive to continuously innovate and strive towards excellence. If a PA facing down time or security issues is not able to manage the increase in traffic that merchants may experience during peak times; or is facing technical issues and transaction failures, it would result in a widespread impact across the digital ecosystem, adversely impacting numerous other merchants and customers.
Working with one PA will prohibit the merchants from diversifying and mitigating transaction risk. Any security breach in the systems of the PA will have significant unintended consequences on the merchant activities. This will extend to all the merchants working with this PA, thereby having an unimaginable impact on the industry.
(d) Customer service: Without customer card data, merchants will not be able to perform basic functions such as resolution of customer complaints/disputes, customer service and speedy resolution of refunds requests. While PAs have regulatory obligation to resolve disputes, merchants still need to prioritize and resolve customer concerns, as customer satisfaction is critical for their business. A deprecated customer service would increase the number of customer grievances and escalations, which could have been easily managed at the initial stage by the merchant itself.
(e) Product Innovation: Dependence on PAs will prevent merchants from offering seamless and innovative payment experiences to their customers in line with RBI’s vision of “Empowering Exceptional (E) Payment Experiences.” For example, merchants will be unable to provide customized checkout and single click payment, resulting in unnecessary friction for consumers. Merchants will not be able to offer subscription-based services that require storage of card data to bill customers on a recurring basis.
Most of the payment innovations have been driven by merchants who want to give their customers a seamless and safe online payment experience. Merchants have a direct relationship with their customers and therefore understand the needs of customers, which they enable by working with PAs and banks. Various merchant entities have been investing heavily in ensuring safety and security of payment transactions while innovating for a better customer experience. However, this regulation inhibits the merchants’ ability to promote digital transactions. Therefore, it is crucial that merchants who meet the applicable Security Standards continue to be able to store card data to avoid large-scale interruptions in customer experience, business operations and digital payments adoption.
We have requested RBI to:
● Clarify or publish FAQs confirming that PCI-DSS compliant merchants who meet other applicable onboarding requirements in the Guidelines may continue to save customer card and related data.
● Develop a framework to store card data to encompass the security measures (PCI-DSS compliance), reporting requirements and governance mechanisms. The PA shall be responsible to confirm merchant’s compliance with the framework. This will provide the right visibility to RBI and balance the needs of the merchant.
Read our previous blogs on PA/PG Guidelines here.
For any questions or clarification on this issue, please write to firstname.lastname@example.org.