The future of card storage and card based recurring payments in India

Asheeta Regidi Head, Fintech Policy at Cashfree.

This article was first published on ET BFSI dated March 30th, 2021.

By Asheeta Regidi and Reeju Datta

A significant change is expected to card-based payments, with RBI restrictions on card data storage1 by merchants and payment aggregators (‘PAs’), and separate restrictions on non-compliant e-mandates2 coming into effect soon. All card payments including recurring payments will now need card data to be re-entered every time. There are some alternatives, and more can be developed given the end-goal is security. The negative impact however on the customer experience and cards as a payments mode can easily be mitigated through an alternative approach, or at the least a delay in implementation. Despite the ongoing industry efforts3, so far the RBI hasn’t changed its stance.

Exploring the alternatives

Many card related services from PAs and merchants are dependent on the stored data, and reworking these flows will introduce complications. This will also lead to a further increase in customer grievances even as ongoing technical issues like bank downtimes4 and technical upgrades5 have been disrupting the digital payments experience. There are nevertheless alternatives for customers:

i) Card network authentication solutions as an option

PAs and merchants provide consent-based options to customers for saving card data, allowing a seamless payments/checkout process. Post-prohibition friction will increase, as will chances of transaction failures, say due to key-in errors. Card-network provided solutions are an alternative here, for card-saving (Visa Checkout, Masterclass) and one-click payments (Visa Safe Click). The prohibition doesn’t apply to card networks, and the RBI has in fact also relaxed AFA requirements here upto Rs.2000/-6. However here, firstly there are technical issues like integration delays which have delayed the widespread availability of these solutions. Second, the solutions themselves may be designed to share card data with other players in the payments chain given current practices. These will need adapting to ensure card data is saved at the card network level alone.

Also unimpacted are mobile/tablet based card-saving solutions, as permitted under the RBI’s 2019 tokenisation notification7. Apart from this, other payment modes like UPI, net banking, wallet based payments, contactless payments at PoS, QR codes, etc., are of course unimpacted.

ii) UPI AutoPay and eNACH over card-based recurring payments 

Cards are highly popular as a recurring payments option- for subscriptions, automated monthly bill payments, insurance premium payments, etc. These will now need card data re-entered for every subsequent payment, instead of for mandate creation alone. The convenience of the enhanced AFA relaxations upto Rs.5000/- are thereby lost completely.

Card network solutions can also work here as a card-based alternative. Non-card based alternatives will be UPI AutoPay8 and eNACH9. Along with net banking authenticated eNACH mandates, debit card authenticated ones are also unimpacted, since the debit card data is required only to generate the mandate. Once access is gained thereby to the bank account, funds can be pulled directly using NPCI rails. Card storage hence is not required here.

On a side note here, potential e-mandate use cases10 via cards, like for low-value on-demand recurring payments (eg.: taxi/food delivery aggregators) without AFA are also lost. Card network authentication solutions and AutoPay if extended in future will be the options that remain.

iii) For refunds, chargebacks and dispute resolution

These processes in fact do not require stored card data, Merchants and PAs can communicate the relevant transaction reference number to card networks, which in turn effect the required reversals. However for refunds alternative workarounds like faster refund solutions are no longer possible.

Conflict with e-mandate notification

Subscriptions and other recurring payments are normally handled by merchants and PAs. Given the challenges the prohibition creates with continuing to do so, a conflict emerges where banks are not yet technically equipped to take over. The framework for card-based e-mandates created by the RBI in August 201911 was to be put in place by the issuers. This was followed by the December 2020 notification enhancing the AFA here upto Rs.5000/-, and also requiring all non-compliant e-mandate facilities to be discontinued by this month-end, i.e., March 31st, 2021. The result of this restriction coupled with that on card data storage could majorly disrupt existing e-mandates if the banks are unable to transition in time.

Tokenisation as a solution

Tokenisation in fact is an existing security feature for card-saving and recurring payment services from PAs, where the PAs save the card data and share only a token with other stakeholders for the payments processing. This now comes to an end with the prohibition. Regardless, tokenisation remains a promising solution to the prohibition, meeting the dual goals of minimising card data sharing while allowing card based payments to continue unhindered. There are challenges here- one is new infrastructure and integrations will be required for its implementation at the scale now required. Second is the lack of a proper regulatory framework. The current 2019 tokenisation notification12 is for use on mobiles/tablets, designed more as an optional security measure for customers than as would be required here. For instance, seamless creation of an e-mandate will be impacted if the customer hasn’t registered or has deregistered13 tokenization for a specific use case (contactless payments, QR code, in-app, etc.). A different framework is required for the tokenisation needed now.

Taking alternative regulatory approaches towards greater security

The prohibition was originally introduced last year via the RBI norms on PAs and payment gateways (‘PGs’)14. The prohibitions on card storage will come into effect soon- for non-bank PAs this will be when they acquire authorisation, the last date to apply for which is June 30th, 2021.

Security is an issue that needs addressing, moreso given recent incidents of compromised card data15. The RBI Digital Payment Security Controls16 have in fact been introduced to the same end, but these take a different approach- requiring security measures like no storage of data in plain-text, and increased security compliances like PCI-PIN, PCI-PTS, PCI-HSM, etc. mandating card security in new places. The requirements do still fall short17 of addressing issues like of UPI VPAs mapped to credit card numbers18 and floating in plain-text. However, it still takes a more welcome approach to strengthen security, in its effort to resolve the issue from the core without an outright prohibition.

While the PA norms brought in several welcome changes, introducing flexibility and allowing new innovation19, this prohibition presents a major disruption. It also disrupts the playing field between PAs and other payments players, despite the same extensive security requirements via PCI-DSS compliance, etc. Given these, it is hoped that the RBI will reconsider its stand and explore alternatives to achieve the same goal. Alternatively, delaying implementation of the prohibition together with bringing in a more suitable framework for wider implementation of tokenisation would be welcome.

  1. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/2019-20/174, dated March 17, 2020.
  2. RBI Notification: Processing of e-mandates for recurring transactions, RBI/2020-21/74, dated December 04, 2020.
  3. Article by Komal Gupta: Representation on Clarifications on Guidelines on Regulation of Payment Aggregators and Payment Gateways, NASSCOM Policy Advocacy, dated January 4, 2021.
  4. Media Report by Dinesh Unnikrishnan: HDFC Bank’s digital outages: 7 key takeaways from RBI action, Money Control, dated December 03, 2020.
  5. Media Report by Ashwin Manikandan: NPCI bulks up for one billion transactions per day, The Economic Times, dated February 18,2021.
  6. RBI Notification: Card Not Present transactions – Relaxation in Additional Factor of Authentication for payments upto ₹ 2000/- for card network provided authentication solutions, RBI/2016-17/172, dated December 6, 2016.
  7. RBI Circular: Tokenisation – Card transactions, RBI/2018-19/103, dated January 08, 2019.
  8. NPCI Press Release: NPCI introduces UPI AutoPay facility for recurring payment, dated July 22, 2020.
  9. NPCI Website: National Automated Clearing House Product Overview.
  10. Article by Asheeta Regidi and Reeju Dutta: The Indian Recurring Payments Landscape: Tapping into UPI AutoPay’s Potential, Medici Blog, dated August 25, 2020.
  11. RBI Notification: Processing of e-mandate on cards for recurring transactions, RBI/2019-20/47, dated August 21, 2019.
  12. RBI Circular: Tokenisation – Card transactions, RBI/2018-19/103, dated January 08, 2019.
  13. RBI FAQs: Tokenisation – Card Transactions, dated May 18, 2020.
  14. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/2019-20/174, dated March 17, 2020.
  15. Media Report by Ashwin Manikandan & Anandi Chandrashekhar: Juspay Data Leak fallout: RBI swings into action to curb cyberattacks, The Economic Times, dated January 06, 2021.
  16. RBI Notification: Master Direction on Digital Payment Security Controls, RBI/2020-21/74, dated February 18, 2021.
  17. Article by Asheeta Regidi: Payments Digest by Cashfree: Feb 2021, Cashfree Blog, dated March 17, 2021.
  18. Article by Srikanth Lakshmanan, Cashless Consumer: Airtel, ZoomCar leaking Credit Card Number during merchant refunds, Medium, dated February 26, 2021.
  19. Article by Asheeta Regidi and Reeju Datta, Regulation 2.0 for Payment Aggregators: Reimagining the role of PAs and what still needs to change, Medianama Blog, dated May 29, 2020.
Asheeta Regidi Head, Fintech Policy at Cashfree.