Topics In Demand
Notification
New

No notification found.

RBI extends timeline for non-bank Payment Aggregators (PAs) to comply with Guidelines on Regulation of PAs & PGs
RBI extends timeline for non-bank Payment Aggregators (PAs) to comply with Guidelines on Regulation of PAs & PGs

April 1, 2021

392

0

On 31 March, the Reserve Bank of India (RBIextended the timeline for non-bank PAs by six months to ensure compliance with the Guidelines on Regulation of Payment Aggregators and Payment Gateways (PA/PG Guidelines).The new deadline for non-banks PAs to comply with the provisions of the PA/PG Guidelines is 31 December 2021. According to the Central Bank, the move is a "one-time measure" to enable the payment system providers and participants to put in place workable solutions, such as tokenisation.

In a notification, RBI also clarified that this extension has been granted to PAs after considering the representations received from the industry seeking additional time for implementing the PA/PG Guidelines. In the same notification, the Central Bank also formally published the Clarifications to these Guidelines on Regulation of Payment Aggregators and Payment Gateways (Clarifications). To be sure, the Clarifications had been issued on 17 September 2020 by RBI to select industry associations and participants, which stated that neither the authorised PAs nor the merchants on-boarded by them can store customer card credentials within their database or server. This resulted in confusion amongst the industry on the way forward when it comes to storage of payments data.

Based on extensive consultation with the industry, NASSCOM made a representation to RBI on 24 March 2021. We reiterated that the implementation of PA/PG Guidelines,read with Clarifications is expected to cause significant disruptions to customer convenience and the wider e-Commerce ecosystem. We also listed the unintended consequences of these requirements in the short-to-medium term and accordingly suggested two solutions to RBI, which could be considered as the way forward. 

The solutions proposed by us:

"Solution 1:
a) RBI should provide clarity on the rationale behind the exclusion of PCI-DSS and PA-DSS Level 1 certified entities (PAs and merchants included) from CoF restrictions mentioned under the PA/PG Guidelines and hold consultations with the industry to discuss the risks identified by the RBI and possible feasible solutions to address the same.
b) In case, data security is the only reason for this move, RBI may consider developing a card security framework, which addresses the gaps that the RBI may have identified, for all PCI-DSS Level 1 certified entities. The PA may be made responsible to confirm merchant’s compliance with the framework.
c) Simultaneously, new payment technologies, such as, tokenisation, may be encouraged. Currently, RBI permits tokenisation in the context of mobile-based payments. This may be enabled for all device ecosystems.


OR,
Solution 2:

a) Enable authorised Payment Systems Operators to roll-out tokenisation for a broader device ecosystem beyond mobile-based payments.
b) Extend the timelines for the enforcement of the CoF-restrictions under the PA/PG Guidelines by 12 to 15 months to allow for sufficient time for the ecosystem (merchants, PAs, issuing banks) to adopt tokenisation as an alternative to storing CoF. RBI may consider phased/graded implementation of CoF Tokenisation system.
c) Allow PCI-DSS Level-1 certified entities to continue storing CoF data until the time, demonstration of the success rates of alternative technological solution such as tokenisation has been proven/established. This will help address the concerns of business continuity until there is an established alternative to CoF data storage
."

 

Our comments:

While the latest move by RBI is in line with what NASSCOM had asked, i.e. to maintain status quo till there is a workable solution, but it is not clear if a workable solution would be developed within the timeframe contemplated by the RBI. NASSCOM will work with the industry to discuss the way forward. 

Do read our detailed blog on representation to RBI on facilitating compliance with PA/PG Guidelines. For more understanding on this issue, read our previous blogs.

For any questions or clarification on this issue, please write to komal@nasscom.in.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Komal Gupta
Policy Analyst

Policy Professional| Former Tech and Business Journalist|

© Copyright nasscom. All Rights Reserved.