Via our Payments Digest, we aim to provide a view on key payments policy initiatives taken each month. Discussions for Edition 2: Efforts to persuade the RBI to withdraw its prohibition against payment aggregators and merchants storing card data are ongoing- why is this important? The RBI has issued new Digital Payments Security Controls- what do they change? And with February comes the Budget, what’s in it for digital payments?
PART I- Implications of the prohibition on storing card data under RBI PA norms
The RBI norms for Payment Aggregators (‘PAs’) and Payment Gateways (‘PGs’) (‘PA norms’) brought several welcome changes last year, like greater flexibility and new services for merchants (Related Read: Regulation 2.0 for Payment Aggregators: Reimagining the role of PAs and what still needs to change). A separate requirement coming into effect this year is a prohibition against PAs and merchants storing card data. Industry efforts for a change to this are ongoing and for good reason- the norms negatively impact the customer experience and possibly digital payments adoption in the long run. So far, the RBI has reaffirmed the prohibition via internal clarifications, allowing storage only for the limited purpose of transaction tracking.
Why is change to the prohibition necessary- from a PA’s perspective?
The result of the prohibition is that customers will need to re-enter card data for every card-based payment, including e-mandates/ standing instructions. Benefits the RBI itself sought to bring in like AFA relaxations for card-based e-mandates are effectively nullified. Merchant provided facilities like card-saving, one-click payments, recurring payments, etc. are all impacted.
The problem is that despite PCI-DSS and other security related requirements, the prohibition on merchants/PAs has been imposed without considering alternatives, or offering solutions post-prohibition. Consider tokenisation- the current framework is too limited in its scope (card-saving by mobiles/tablets in 2019) for it to be rolled out on the scale required here. On the other hand, tokenisation that PAs were already doing (for e-mandates say, where only a token was shared) comes to an end.
Alternatives can nevertheless be found- you still have UPI AutoPay and eNACH for recurring payments. Card network provided solutions like Visa Checkout, Safe Click, etc., are another alternative for card-saving/ one-click payments- in fact the RBI has also relaxed AFAs here upto Rs.2k. However, these are yet to be widely available, given issues like integration delays. Further, these may need modification to comply with the new norms, given these may be sharing card data with other stakeholders currently, in keeping with current practices. Despite the alternatives however, benefits like the popularity of cards with customers, providing a wide range of digital payment options, seamless checkout processes, etc. are still lost.
The table below summarizes the impact of the prohibition. A separate consequence is that this impacts the playing field- between PAs and other entities offering similar services (payments banks, PGs, even mobiles/tablets as per the tokenisation norms), and also between UPI and cards, giving UPI the upper hand.
Are refunds, chargeback and dispute resolution processes impacted?
Chargeback and dispute resolution processes are not dependent on shared card data. Merchants/ PAs only need to share the transaction reference numbers with the card networks, who effect the reversals, etc. as required. The same also applies for refunds, however, without card data, benefits in the form of say alternative solutions for faster refunds come to an end. Refunds will thus be slower. Other value added services which are dependent on card data are also similarly impacted.
When will this come into effect?
For a non-bank PA this will come into effect when it is authorised as a PA. The last date to apply is June 30th, 2021. For bank PAs, the norms came into effect on September 30th, 2020, while for PGs this is a recommendation only, and not mandatory.
Table 1: Impact at a Glance for PAs/Merchants
|Impacted||Not impacted/ Alternatives|
|Storage of card data by entities||Prohibited except for transaction tracking purposes|
– Payment Aggregators
|– Payments Banks (M-wallets, etc.)|
– Payment Gateways
– Card saving by phones/ tablets (tokenization)
– Card networks and related payment solutions (Visa Checkout, etc.)
|Card based standing instructions/ e-mandates- will require input of data for every payment|
Effectively nullifies AFA relaxations provided
|– eNACH e-mandates using debit card authentication|
– eNACH e-mandates using net banking authentication
– UPI AutoPay
|Card-saving/ One-click payments for seamless checkout processes||Merchant provided solutions- Will require input of card data for every payment||Card network provided solutions provided no card data shared with other stakeholders:|
– Card saving (Visa Checkout, Masterclass, etc.)
– One-click (Visa Safe Click)
RBI AFA relaxations here can continue
|Refunds, Chargeback and Dispute Resolution Processes||Alternative refund solutions come to an end.||Card data not required for refunds/chargebacks/dispute resolution- transactions reference no. alone to be shared with card networks which will effect the reversal.|
|Payment Options for Customers (summary)||– Card based SIs/e-mandates|
– Card based one-time payments will require input of card data for every payment
– Merchant provided one-click and card-saving solutions
|– UPI AutoPay, eNACH for recurring payments|
– Other payment options- UPI, Net banking, Wallet payments, Cash on Delivery, Gift cards/vouchers, etc.
– Contactless Payments at PoS, QR Codes, etc.
– Card network provided one-click and card-saving solutions
|Others- UPI based payments to credit cards||– Non-consent based creation of UPI VPAs using credit card data by merchants will not be possible, since credit card data cannot be retained.|
– Use of consent based UPI VPAs using credit card data by merchants will require sharing of the VPA each time
PART II- The scope of the new Digital Payment Security Controls
Increasing digitization and multiple new payment modes and business models have also led to new vulnerabilities. With customer confidence in digital payments at stake with all the bank downtimes, system outages, cybersecurity issues like compromised card data, etc. off-late, the RBI’s new Digital Payment Security Controls come at a good time. These apply to the regulated entities (‘REs’) specified (scheduled commercial banks, small finance banks, payments banks and credit card issuing NBFCs), but the benefit they bring will be for the payments industry as a whole.
How do these impact fintechs and other payments players?
Many payment products today are built on the rails of in-house services from banks- take UPI, fintech provided API banking, etc. The Controls in essence force REs like the banks to resolve several core issues- securing their tech stack, improving reconciliation, addressing downtimes and refund delays, better grievance redressal, fraud mitigation, etc. Each of these impact the quality of service fintechs and other payment players receive from the banks, and in turn are able to provide to their end-customers. Basically, an improvement in the core issues means fintechs, etc. can improve the all round customer experience as well.
What are some of the specific changes entailed?
Overall, the Controls aim to introduce new governance structures, and secure channels like internet, m-banking, card payments, etc. They serve as an overarching regulation, securing digital payments even when no specific regulations apply:
- Scalability issues- transaction overloads and downtimes
UPI provides a clear illustration of scalability issues with digital payments. A specific technical issue for instance is that bank servers can process only a limited number of transactions per second (‘TPS’), making them unable to properly support UPI volumes. Given issues here, UPI is unsurprisingly a major source of customer complaints (the Ombudsman Report cited 43.89% for funds transfers, UPI, BBPS and BharatQR together). Solutions like imposing volume caps (as for UPI) far from resolving the issue have the opposite effect- of being difficult to enforce technically, and may increase transaction failures once the cap is reached.
The Controls here take a welcome approach- it addresses the issue from the core, requiring work on capacity building, scalable infrastructure, minimising technical declines, higher availability of channels, etc. For instance, take the ‘multi-tier application architecture’ requirement. For this a given system will be segmented into multiple tiers and applications, allowing say fixing issues (say a cybersecurity attack) in one part without affecting another, in turn increasing availability and reducing downtimes. It also allows faster technical upgrades with less disruption, like for improving the TPS.
- Improving API based banking with banks opening up servers
For fintech provided services, a bank’s application architecture forms the backbone. As banks become more tech-savvy and secure, and thereby more comfortable with opening up their servers to third parties, a more secure API banking experience is also possible. Changes for example include requiring properly implemented APIs for secure data, storage and communications. Checks and balances are also required to prevent transactions from unauthorised apps, say steps like IP whitelisting to recognize authorised API requests. Multi-factor authentication is also specified here- allowing limiting login attempts and blocking of compromised API payment credentials.
- On card data and storage
The focus on data security is evident throughout the Controls. For card data specifically, security requirements are prescribed including new PCI compliance obligations (PCI-PIN, PCI-P2E, etc.) and verifying merchant compliance with the same. On card storage they require compliance with extant laws/instructions, which will also include the PA norms’ prohibitions discussed above.
Another requirement is for REs to ensure that all ‘its vendor locations, systems and applications’ don’t store card data in plain text. This is likely referring to entities like the REs’ technical partners (like vendors for debit card/ credit card/ EMI, etc.). Such entities are anyway subject to PCI-DSS obligations which require encryption, whether applicable directly or passed on contractually by REs (which are themselves otherwise restricted from sharing card data).
What is unclear is if this requirement also applies to entities like UPI’s TPAPs. Though unlikely, this could resolve issues like with UPI VPAs mapped to credit card (CC) numbers. UPI VPAs float in plaintext, exposing CC data when using UPI for payments to CCs this way. The key difference is that while standard UPI VPAs allow sending funds to the account alone, a leaked CC number also allows pulling funds from the account. This is a major concern particularly with recent issues that have emerged of creation of such UPI VPAs without customer consent.
If applicable, the Controls will require encryption of UPI VPAs containing card data. Even if not, the protection under the Controls goes beyond ‘card data’ alone to broader categories of ‘customer data’ and ‘payments data’. Here, while the safeguards are not prescribed but left to the RE’s discretion and risk perception, it very much requires assessing and addressing risk with such data. For example, the Controls ask for security controls focusing on how digital payments apps handle payment data, security of data in transit, minimising data collection in m-apps, etc.
- Reconciliation issues and impact on flexible settlement timelines
The Controls require REs to implement real-time/ near real-time reconciliation, within 24 hours of receiving the settlement file. Reconciliation can be a major pain point for service providers and merchants, since a certain number of transactions normally fail (~2% for bank transfers). Identifying these failed transactions and rerouting/ reversing them is complicated- for instance, for different banks and payment modes, the reporting formats and types of issues also vary. Delays here only add to customer grievances, making the requirement welcome.
Separately, the real-time reconciliation requirement will have no impact on the flexible/delayed settlement timelines allowed under the PA norms, given that settlement and reconciliation are two completely different processes.
PART III- What does Budget 2021 bring for digital payments?
Another significant development in Feb is the Budget- here the unchanged zero MDR stand was disappointing, but the payments industry can now look forward to the Rs.1500 crore fund instead. A scheme outlining how the funds will be deployed is still expected- predictions range from a boost to the PIDF, alternative acceptance infra subsidies, or typical direct financial incentives (think past Meity reimbursement and bonus schemes for merchants/customers). An MDR refund is perhaps unlikely- the current fund falls short by various calculations (eg.: banks had sought Rs.2000 crore per year last year), and moreover this is a one-time allocation only.
One general incentive is the enhanced tax audit exemption for businesses with 95% digital transactions and sales below Rs.10 crore. Apart from this, the payments industry may also benefit from the support promised in the Budget for a ‘world-class Fintech Hub’ for the Gujarat International Finance Tec-City (GIFT). Reports suggest a fintech policy will be revealed, which is said might also target payment companies to boost the fintech infrastructure at GIFT. Here, the scope for the fintech benefit for GIFT entities can include neobanking services for payments processing, cross border trade and remittance, payroll services, etc.
- Payments innovation: The application date for Umbrella Entities has been extended to March 31st, 2021. SEBI has also opened its regulatory sandbox to non-SEBI regulated entities, creating scope for even payment companies to participate and experiment with innovation here.
- Seeking new avenues: The recent RBI permission for residents to invest in securities issued by non-resident entities at GIFT’s IFSC via the Liberalised Remittance Scheme brings up an old ask- allow payment companies like PAs to process such capital account transactions, thereby bringing the fintech benefit here as well. Current norms restrict this to Authorized Dealers, allowing use of non-bank entities for specified current account transactions alone.
- Amendment to section 44AB of Income Tax Act, 1961, The Finance Bill, 2021, dated February 1, 2021.
- Article by Asheeta Regidi and Reeju Datta, Regulation 2.0 for Payment Aggregators: Reimagining the role of PAs and what still needs to change, Cashfree Blog dated May 29, 2020.
- Article by Asheeta Regidi and Reeju Dutta: The Indian Recurring Payments Landscape: Tapping into the Potential of UPI AutoPay, Cashfree Blog, dated August 25, 2020.
- Article by Komal Gupta: Representation on Clarifications on Guidelines on Regulation of Payment Aggregators and Payment Gateways, NASSCOM Policy Advocacy, dated January 4, 2021.
- Article by Srikanth Lakshmanan, Cashless Consumer: Airtel, ZoomCar leaking Credit Card Number during merchant refunds, Medium, dated February 26, 2021.
- Cashfree Report: Top Reasons Bank Transfers fail in India (First Edition).
- Government of India Document: Budget 2021-2022 Speech of Nirmala Sitharaman Minister of Finance, dated February 1, 2021.
- Media Report by Ashwin Manikandan & Anandi Chandrashekhar: Juspay Data Leak fallout: RBI swings into action to curb cyberattacks, The Economic Times, dated January 06, 2021.
- Media Report by Dinesh Unnikrishnan: HDFC Bank’s digital outages: 7 key takeaways from RBI action, Money Control, dated December 03, 2020.
- Media Report by Kapil Dave: New fintech park proposed by Gujarat for GIFT City, The Times of India, dated January 28, 2021.
- Media Report by Ridhima Saxena: Convenience Vs Security: RBI’s Proposed Rules On Card Payments Prompt Debate, BloombergQuint, updated on February 24, 2021
- Media Report: HDFC Bank submits action plan to RBI, hopes to fix outage issue in 3 months, Business Standard, updated on January 23, 2021.
- Media Report: Zero MDR: FinMin says no to banks’ compensation plea, The Hindu Business Line, dated January 07, 2020.
- Meity Notification: Subsidizing MDR charges on Debit Cards/BHIM UPI/AePS transactions of value less than or equal to Rs. 2000/-, dated 27 December, 2017.
- Meity Notification: Extension and Modification in the BHIM(Bharat Interface For Money) Referral Bonus Scheme for Individuals, dated 14 August, 2017.NPCI Operation Circular: Guidelines on volume cap for Third Party App Providers(TPAP’s) in UPI, NPCI/UPI/OC-97/2020-21, dated November 5, 2020.
- RBI Circular: Tokenisation – Card transactions, RBI/2018-19/103, dated January 08, 2019.
- RBI FAQs: Tokenisation – Card Transactions, dated May 18, 2020.
- RBI Notification: Card transactions in Contactless mode – Relaxation in requirement of Additional Factor of Authentication, RBI/2020-21/71, dated December 04, 2020.
- RBI Notification: Card Not Present transactions – Relaxation in Additional Factor of Authentication for payments upto ₹ 2000/- for card network provided authentication solutions, RBI/2016-17/172, dated December 6, 2016.
- RBI Notification: Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries, RBI/2009-10/231, dated November 24, 2009.
- RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/2019-20/174, dated March 17, 2020.
- RBI Notification: Master Direction on Digital Payment Security Controls, RBI/2020-21/74, dated February 18, 2021.
- RBI Notification: Operationalisation of Payments Infrastructure Development Fund(PIDF) Scheme, RBI/2020-21/81, dated January 05, 2021.
- RBI Notification: Processing of e-mandate on cards for recurring transactions, RBI/2019-20/47, dated August 21, 2019.
- RBI Notification: Processing of e-mandates for recurring transactions, RBI/2020-21/74, dated December 04, 2020.
- RBI Publication: Annual Report of Ombudsman Schemes, 2019-20, dated February 08, 2021.
- Terms and Conditions for Cash Management Services, Kotak Mahindra Bank Limited