Topics In Demand
Notification
New

No notification found.

Representation on Facilitating Compliance with RBI Guidelines on Payment Aggregators and Payment Gateways
Representation on Facilitating Compliance with RBI Guidelines on Payment Aggregators and Payment Gateways

March 25, 2021

298

1

In March 2020, the Reserve Bank of India (RBI) released the Guidelines on Regulation of Payment Aggregators and Payment Gateways (PA/PG Guidelines), which created a regulatory framework for the operation of payment aggregators (PAs) and payment gateways (PGs). To supplement and clarify these, RBI issued Clarifications to these Guidelines on Regulation of Payment Aggregators and Payment Gateways (Clarifications).

While we had already highlighted the challenges faced by the payments industry after the issue of the above-mentioned Clarifications in our previous letter to RBI, we have again written to the Central Bank, requesting to address the industry’s concerns. We have reiterated that the implementation of PA/PG Guidelines,read with Clarifications is expected to cause significant disruptions to customer convenience and the wider e-Commerce ecosystem.

Based on our anticipation, we have listed the following unintended consequences of these requirements in the short-to-medium term:

a) Disproportionate Obligations: Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS) compliance certifications for merchants, involve comprehensive and recurrent external audits (in case of Level-1 merchants processing more than 6 million transactions in a year) and self-assessment (in case of Levels 2-4 merchants processing less than 6 million transactions in a year), which attest to the sufficiency of the merchants’ data security systems for storing Card on File (CoF) data.
However, while the PA/PG Guidelines require merchants and PA/PGs to maintain PCI-DSS and PA-DSS compliance, they prohibited them from storing CoF data. Therefore, the compliance requirements imposed upon merchants and PA/PGs are disproportionate to the risk of payments data breach.
This would lead to an increase in compliance obligations while reducing the ability to service the customers in the best possible manner as it will negatively impact the transaction success rate and therefore customer retention.


b) Impact on Customer Experience for Online Payments: There is likely to be a significant disruption in the customer’s online payment experience. The inability of merchants and PAs to store payment instrument details on file, would mean that facilities such as saving preferred modes of payments for faster checkout can no longer be feasible without exploring alternate technical solutions.
Moreover, the lack of CoF data would require the customers to key-in payment instrument details manually for every transaction, leading to an increased probability of key-in errors leading to higher transaction failure rates. Resultantly, all the efforts of the many past years to move from cash to less cash economy may be futile to a certain extent.


c) Impact on Subscription Mandates: Currently, most recurring/subscription-based transactions are initiated by merchants, who by virtue of having CoF data on their servers, send the relevant instructions to issuing banks to charge customers’ payment instruments. The prohibition on storing CoF data would mean that merchants would no longer be able to initiate such transactions.
In addition, issuing banks and issuers of PPIs seem to be unable to comply with the requirements under the e-Mandate Circular before 31st March 2021 and the requirements of PA/PG guidelines before 30th June 2021. Thus, customers will be unable to register, modify or revoke any recurring/subscription-based transactions at the end of merchants or issuing banks.
In the absence of a minimum level of preparedness amongst issuers to provide for an e-Mandate dashboard before 30 June 2021, lack of widespread awareness campaigns by merchants and banks alike to inform and acquaint customers with the new facilities, the cumulative impact of the DPSS’s PA/PG Guidelines and the e-Mandate circular, are likely to create a significant disruption in the way customers, merchants and banks manage recurring/subscription-based e-Mandates.
Therefore, there is a need to ensure that while concerns related to data security are addressed, it should be done in a manner, which gears the ecosystem to manage business continuity and provide ease of transaction to the customers.

Tokenisation

During our consultations, tokenisation of payment data emerged as one of the potential solutions towards balancing data security concerns with those of business continuity. However, as on date, tokenisation is only permitted by the RBI in the context of mobile-based payments. It needs to be extended to all other device ecosystems to be an effective solution. This would significantly minimise the dissemination of Payment Instrument information, while ensuring business continuity and ease of transacting.
With payment tokenisation, the merchant only stores payment tokens in their database rather than the actual Payment Instrument Information. This delivers various security benefits to the digital commerce ecosystem by reducing the risk and mitigating the impact of malware, phishing attacks, and data breaches – by merely limiting the availability of Payment Instrument Information to the Payment System Operators and Issuing Banks.

Additionally, token reference IDs available with merchants and PAs are unique to individual merchants, i.e., a token reference created for Merchant A cannot be used for effecting transactions on the platform of Merchant B, without a transaction and merchant specific cryptogram created for Merchant A. Likewise, the tokens are also domain restricted, i.e., a token created for recurring payments cannot be used for on-time in-app purchases, and vice-versa.

At the same time, tokenisation will continue to support quicker and frictionless check-outs for end consumers, who will be able to identify relevant payment information through the last four digits of their Primary Account Number (PAN), without the need of Payment Instrument Information.


Our request:
We submitted the following two alternative solutions, which the RBI may consider as the way forward.

Solution 1:
a) RBI should provide clarity on the rationale behind the exclusion of PCI-DSS and PA-DSS Level 1 certified entities (PAs and merchants included) from CoF restrictions mentioned under the PA/PG Guidelines and hold consultations with the industry to discuss the risks identified by the RBI and possible feasible solutions to address the same.
b) In case, data security is the only reason for this move, RBI may consider developing a card security framework, which addresses the gaps that the RBI may have identified, for all PCI-DSS Level 1 certified entities. The PA may be made responsible to confirm merchant’s compliance with the framework.
c) Simultaneously, new payment technologies, such as, tokenisation, may be encouraged. Currently, RBI permits tokenisation in the context of mobile-based payments. This may be enabled for all device ecosystems.


OR,
Solution 2:

a) Enable authorised Payment Systems Operators to roll-out tokenisation for a broader device ecosystem beyond mobile-based payments.
b) Extend the timelines for the enforcement of the CoF-restrictions under the PA/PG Guidelines by 12 to 15 months to allow for sufficient time for the ecosystem (merchants, PAs, issuing banks) to adopt tokenisation as an alternative to storing CoF. RBI may consider phased/graded implementation of CoF Tokenisation system.
c) Allow PCI-DSS Level-1 certified entities to continue storing CoF data until the time, demonstration of the success rates of alternative technological solution such as tokenisation has been proven/established. This will help address the concerns of business continuity until there is an established alternative to CoF data storage.

 

Read our previous blogs on PA/PG Guidelines here.

For any questions or clarification on this issue, please write to komal@nasscom.in.

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Komal Gupta
Policy Analyst

Policy Professional| Former Tech and Business Journalist|

© Copyright nasscom. All Rights Reserved.