Starting January 1, you will have to manually enter your card details at every place you shop online—delivery apps included. And you may have to do it repeatedly with a number of merchants if they are not ready for a brand new set of Reserve Bank of India rules—which dictate that companies can no longer store your card data. So get ready for some chaos come New Year’s Day.
The RBI rules basically state that no one can capture or store your card details except your banks and payment providers like Visa etc. And it has made a new system called ‘tokenization’ mandatory starting January 1.
How it works now: This is what happens when you go online to buy something.
Enter tokenization: This merely means that your card details are replaced by a token number. This number is unique to the card you are using and who you are buying from. Next time, if you use a different card—or use the same card to buy from a different merchant—a new token number will be required.
How it will work from January 1: Merchants and payment gateways have to purge all customer card data from their records by that date. So when you go online, you will ideally do the following (with the emphasis on ‘ideally’):
Point to note: Tokenization is already in place for UPI payments. And net banking will work seamlessly as well. This only affects transactions where you use your cards.
The RBI is concerned about the security of your card data—which is shared and stored across multiple websites when you shop online:
“Many entities involved in the card payment transaction chain store actual card details. In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/leaked.”
For the promise of far greater security, you have to put up with the one-time hassle of manually entering your details when you shop from a specific company.
As for the online retailers: Supporters of tokenization argue it only requires a technological upgrade to get themselves ready to accept such payments. Also: They no longer have to worry about being hacked. And these merchants are moving to a far superior system currently used by the likes of ApplePay and SamsungPay—which offer frictionless shopping—and enable tools like one-click purchase on Amazon.
The system only works seamlessly if everyone is ready to handle tokenization. That means every entity involved in that single transaction you initiate—the merchant’s bank/payment gateway, the card network, your bank etc.: “Even after tokenization is complete, the transaction may fail if a stakeholder has not integrated the required technology to accept or read tokenized cards."
So buying online in January may feel like playing Russian roulette. It will work for some purchases but not others. And if tokenization fails, then you will have to manually enter your card details each time you shop from that merchant.
The bigger players: have got their systems in place—or are scrambling to do so. Visa is fully ready, while Mastercard and American Express are rushing to meet the deadline. RuPay has just started some pilot programs with some merchants. The big payment gateways and aggregators like Razorpay, CCAvenue, PayU, Juspay, Worldline and CAMSPay have already launched their services. And the big banks like HDFC Bank, ICICI Bank and HSBC India are fine too.
A caveat to note: The Morning Context points out:
“It is important to reiterate that when a merchant says they are ‘live’ with tokenization today or come 1 January, it means they can tokenize a card. It is highly likely that transaction failures will shoot up as neither the tokens nor the network tokenization model has been tested at scale; rather it will be launched in one shot across the internet economy.”
And not everyone is at ‘go’: Many are worried about small and medium-sized businesses who haven’t made the shift—and are likely to be hit harder by the loss of business. And they have already been on the back foot thanks to new rules that make setting up recurring payments extremely difficult for a customer. Industry groups insist: “Unless 80% of the cards used can be tokenized, the transition should not be forced.”
The new RBI rules for cards were announced in September—and leading industry groups say their members haven’t been given enough time to make the needed changes: “The RBI is expecting the entire industry to come on to tokenisation, complete testing, move forward in less than four months, that is a very extreme ask from the industry."
The other big worry: Apart from failed transactions, forcing customers to take that one extra step of entering their card details in January may push them toward UPI payments or cash-on-delivery options—which will have a huge impact on the digital payment ecosystem. Credit card transactions in India crossed the one-trillion rupee mark in October.
Also poised for “mayhem”: All the other more complex transactions like EMI payments, buy-now-pay-later offers—which need stored card details—cash back offers and refunds. The RBI has not offered any clarity as to how these payments will work as yet. And The Morning Context estimates none of these transactions will work for at least a few months.
The likely beneficiaries: of this added friction in using cards: Government-run payment platforms—Unified Payments Interface (UPI), National Automated Clearing House (NACH) and Bharat Bill Payment System (BBPS).
Data points to note: The shift to tokenization is likely to affect 5 million customers—who are the biggest spenders online: “These are like the cream, digital transacting customers of India." Industry experts estimate revenue losses of 20-40%—with the greater burden borne by smaller merchants.
Ironic data point to note: In a recent survey, 82% of consumers said it will be somewhat or extremely inconvenient for them to re-enter all their details for every card-based online payment. And more importantly this:
“As many as 57% consumers said they trusted different stakeholders of card-based online payments, and they stored their card details online despite the risks. Other notable reasons for storing card details online included convenience (58%), and benefits in the form of cashbacks/rewards (57%).”
The bottomline: Be it restricting recurring payments or tokenizing card data, RBI is hell-bent on protecting the Indian customer—but at her own expense. As one payments executive says, “Despite all the right intentions of the central bank, what they’ve done is shifted the burden of card security from payment companies to end users.”
Mint has the best explanation of how the card payment system works, and how it will change. Also in Mint: The industry push to implement tokenization in phases. Financial Express lays out the benefits of tokenization. Economic Times, The Hindu and The Morning Context (paywall) report on the state of high anxiety within the industry. Business Standard has more on the consumer survey on tokenization.
What do caste calculations in Karnataka look like? And what do the polls say?
Read MoreIf the BJP loses ground in Karnataka, it will have serious implications for the party, Modi, and Hindutva.
Read MoreBird flu is not new but its recent unprecedented spread is raising fears of a deadly mutation.
Read MoreWhy is the BJP looking weak and beleaguered in a key swing state.
Read More