The RBI in March last year came up with new rules to enhance the security of online transactions made using debit and credit cards.
The story so far: The Reserve Bank of India (RBI) on December 23 extended the deadline given to online merchants and financial payments companies for the tokenisation of card data used for online transactions. Online merchants and financial payments companies have been lobbying the RBI to extend the deadline saying that they lack the infrastructure necessary to comply with the RBI’s Order by December 31, 2021. So, on Thursday, the RBI decided to extend the deadline to June 30, 2022.
What is it?
The RBI in March last year came up with new rules to enhance the security of online transactions made using debit and credit cards. It wanted to put an end to the practice of online merchants storing the card details of customers, which the Central bank believed could lead to misuse of cards by fraudsters. Storing card details on merchant platforms, however, made it easier for customers to carry out online purchases. For example, customers frequently store their card data on sites such as Amazon and Zomato. If this weren’t possible, customers would have to enter their card details each time they wanted to make a purchase.
To overcome this problem, the RBI proposed that online merchants use token numbers instead of card data to store customers’ cards on their platforms. This way, the RBI will ensure that sensitive details such as card numbers are wiped off merchant sites and replaced by random numbers. Once cards are tokenised, card data would remain only in the records of banks and card companies.
What is the problem with the RBI’s Order?
Critics of the RBI’s Order believe that online card transactions are already secure enough since customers need to authenticate transactions through CVV, OTP and other means. Online merchants have also been complaining about the time given by the RBI to comply with its orders, which they believe is too little. This, they argue, will affect their business as customers whose card details are purged may refuse to go through the hassle of having to enter their card details each time they make a purchase.
Customers may also decide not to tokenise their cards and simply opt to switch to cash or other forms of online payment that involve less hassle. The RBI may thus inadvertently push customers away from using cards as a mode of payment. It should be noted that foreign card companies such as Visa and Mastercard have already complained that Indian authorities have been favouring domestic payment methods such as the UPI and RuPay through their policies.
It is hard to judge whether the RBI’s tokenization policy is right unless we can find a way to weigh the costs and benefits of the policy against the costs and benefits of its alternatives. This, however, is only possible when there are multiple private regulatory bodies competing for business by offering different policies. Competition between regulatory regimes would then lead to an equilibrium that properly balances the risks of card data storage (such as fraud) against the benefits (such as ease of making repeat payments).
What lies ahead?
Companies are largely expected to comply with RBI’s Order by next year’s deadline. When the RBI first came up with the Order to purge card data, it had ordered companies to comply with its Order by June 30, 2021, a deadline which it later extended to the end of 2021. With the further extension of the deadline by six months, the RBI has extended its initial deadline by a year, which many believe is ample time to comply. With regulatory burden rising on cards as a form of payment, which in turn increases the cost of using cards, we might also see a shift away from cards and towards other forms of payment.