Topics In Demand
Notification
New

No notification found.

Reserve Bank of India: NASSCOM-MPAI representation on facilitating compliance with Card-on-File Tokenisation
Reserve Bank of India: NASSCOM-MPAI representation on facilitating compliance with Card-on-File Tokenisation

September 2, 2022

560

0


Listen to this article



The Reserve Bank of India (RBI), on July 28th, 2022, had announced a clarification on storing card-on-file (CoF) data for guest check-out transactions and other post-transaction activities. This came after extension granted by the RBI to purge stored card details in compliance with PA/PG Guidelines to September 30th, 2022.

NASSCOM, along with the Merchant Payments Alliance of India (MPAI), made a joint submission to the Reserve Bank of India in continuation of discussions on card-on-file tokenisation (CoFT) and the challenges faced by the ecosystem therein. In the representation, we emphasised on the ecosystem readiness with CoFT to be viewed holistically from the end consumers’ perspective i.e., they should be able to successfully conduct payment transactions using tokenised card details for the ecosystem to be ‘ready’.

In the joint representation, we highlighted that:

  • Token provisioning: The success rate of mapping card details onto tokens upon receipt of tokenisation requests is in the range of 90-95 percent.
  • Ecosystem participants i.e., merchants which maintain their own payment infrastructure have ramped up the processing of tokenised transactions on their systems. However, merchants which rely on payment aggregators/gateways (PA/PGs) are yet to make any meaningful progress on the same.
  • Token processing (one-time payments): In terms of one-time processing of payments through pre-provisioned tokens, the success range is between 60-65 percent. Per our understanding, transactions typically fail due to optimisation issues at the PA/PG’s end. We were also informed that some merchants are yet to be given access even to beta versions of token flows developed by PA/PGs, and therefore, such merchants have not been able to begin any meaningful testing of token solution for their customers. For such merchants, migration of existing customers to new systems is yet to take place as well. They do not have visibility on tokens for recurring payments and guest checkouts either.
  • Recurring payments: We noted that processing solutions for recurring payments is even for challenging because of the following:
  1. Mandate creation Mandate creation using a combination of mandate ID and token, instead of mandate ID and card details;
  2. Mandate migration – Conversion of existing e-mandates (based on card details) to mandates based on tokens; and,
  3. Mandate renewal – Ensuring periodic auto-debits on the relevant account based on a combination of mandate ID and token.

In this regard, we noted that some merchants who are completely dependent on payment aggregators have not had any texting experience on the three aforementioned elements as on date of writing. Members that have been able to test still have only limited visibility on the efficacy of recurring payment flows due to lean upstream readiness. At the merchant’s end, access to bank identification numbers (BINs) from card networks is necessary to map mandate IDs and process recurring payments. Progress on this front is also limited.

Suggestions:

We made the following suggestions to the RBI in our representation:

  1. the RBI mandates card networks and PA/PGs to share a status report to demonstrate their readiness to fulfil tokenized transactions across all use cases; and,
  2. the RBI takes appropriate actions as deemed necessary to ensure that issues with token flows for recurring payments are duly addressed, before requiring the ecosystem to action the no-card storage rule.

For more information, kindly write to apurva@nasscom.in and mohit@koanadvisory.com.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Apurva Singh
Senior Policy Associate

Write to me for all things related to FinTech, Drones, Data and Gaming

© Copyright nasscom. All Rights Reserved.