May 2021
Over the last couple of years, India has seen tremendous growth in online retail, apparel, travel, over-the-top (OTT) media, food delivery, online medicine and e-consultation services. Growth in these areas has in turn helped online payment to grow significantly in India. While multiple payment options are offered by these merchants to customers, cards are one of the preferred modes. Merchants and their payment processors are trying to achieve convenient payment experiences by offering faster checkouts and one-click payment to customers. Card on file is one of the features which help achieve these objectives.
A card on file, or stored credentials, is the card information stored by a merchant, payment gateway, payment aggregator or digital wallet to process future transactions.
These players store the card number and other relevant details related to a card in an encrypted format; however, the card verification value (CVV) is not stored. At the time of a card transaction, customer consent is taken to store these card details for future reference.
Typically, two stages are involved in the card-on-file functionality:
First stage: This is the first transaction for which the cardholder enters details to authorise the transaction with two-factor authentication (2FA) on any online platform. At the time of this transaction, the merchant typically asks for customer consent to store the details.
Second stage: This stage typically involves two scenarios:
Card on file is a very important feature in terms of customer convenience and making the transaction process smooth.
It has two main benefits:
In 2019 and 2020, RBI issued two guidelines with respect to the security aspects of card on file and storage of card details by merchants or payment aggregators. The following guidelines pertain to the card-on-file functionality:
RBI issued a guideline on 17 March 2020 (updated on 17 November 2020) on ‘Regulation of Payment Aggregators and Payment Gateways’.1 According to the guideline, payment aggregators and merchants cannot store any sensitive customer information like card details and have to comply with the storage requirements applicable to payment system operators (PSOs). This guideline has to be implemented by payment aggregators and merchants by 31 December 2021.
In August 2019, RBI issued a guideline2 for cards and PPI which was subsequently extended to UPI in January 2020. As per this guideline, ‘Banks [have] to send a notification to customers five days prior to the payment being deducted and allow the transaction to go through only after the customer approves it.’ This is applicable to recurring transactions on cards, UPI and digital wallets. Although the initial deadline to implement this on guideline was 31 March 2021, RBI has extended the same on 30 September 2021 in its latest circular issued on 31 March 2021.
Online card transactions involve multiple entities such as merchants, payment gateways and financial institutions – each of which is as a potential risk entity for cyber criminals. Phishing, malware attacks, data theft are some of the categories of fraud related to card transactions and data.
Data breaches have also seen a significant increase. Some recent incidents of data breaches that have made headlines are:
The customer has to provide consent before auto debit is executed. This will dissolve the whole purpose of auto debit and the customer might miss the notification for consent which may lead to default or inconvenience.
Merchants, banks, card networks and payment aggregators have to make required technical and process changes at their end which will be cumbersome and costly.
Monthly transactions worth INR 2,000 crore will be impacted if participants are unable to comply with the guidelines on time.
Customer payment experience could take a hit as customers would be required to enter the card details each time they make a purchase through the website.
Customers would use alternative payment modes (other than cards).
Recurring payments in case of subscription-based services would be impacted as the renewal cost would not be automatically deducted and the customer would be asked for the subscription/renewal fee for every cycle.
The following participants will be impacted by these guidelines:
The following are the major impacts:
Technological changes: All the participants have to make technical changes to their existing storage as well as recurring payment functionalities. Since these are standard and traditional functionalities provided by these players, it is a major change in terms of architecture and process.
Impact on subscription business: These guidelines will have a major impact on payment collection for subscription-based services like e-commerce, OTT media, e-pharma and food delivery. These companies have provided a seamless payment experience with the help of card on file. The RBI guidelines will hamper their payment collection process and may lead to a high customer churn rate.
Merchant dependency on acquiring banks: Some merchants store card details in an encrypted format. This helps them with the customer service, resolution of customer complaints, refund processing, etc. With these guidelines, merchants will have to rely on acquiring banks to address these concerns.
Monetary impact: Implementation of these guidelines will impose a cost burden on these players. Changes in tech architecture change, process changes, notification and consent from customers for recurring transactions and customer acquisition strategy changes will have an impact on their purses.
With the introduction of the new guidelines, the industry, as a whole, needs to look towards alternative solutions to provide customers with recurring payment solutions.
Tokenisation is an evolution of the current process that enhances transaction security. Tokenisation increases data security through encryption. Sensitive customer card information is replaced by a mathematically irreversible encrypted ‘token’ that is associated with the card number or with a previously authorised transaction. This token can be used for future transactions as well as recurring payments, eliminating the need for merchants to store any sensitive customer information.
Apart from tokenisation, changes in the card-on-file regulations can be addressed through alternative payment methods like UPI Autopay, e-NACH (National Automated Clearing House) mandates and digital wallets. While these solutions may not be able to replicate the process or experience of card-of-file transactions, they have their own advantages.
Tokenisation is not a new concept and has been used as a security feature for card-saving and recurring payment services. Tokens are automatically generated in real time at the time of payment and do not slow down the payment process while preventing card information from hitting merchant servers.
Tokenisation is the most logical solution for tackling the new card-on-file regulations. As tokenisation does not slow down the payment process, it would go unnoticed by the end user while eliminating the actual exchange of customer information. While eliminating the exchange of card information, tokenisation does not eliminate the key advantages of card of file like easy recurring payments and quick checkouts. As the created tokens are reusable, the merchants are able to charge the token multiple times for recurring payments without customer intervention.
Apart from eliminating the need for storing card information, tokenisation will help increase customer trust in digital transactions as well as issuer confidence in approving transactions due to the additional security layers and lower chances of data breaches. It also helps eliminate some of the main causes for transaction rejections, providing a smoother user experience and enhanced customer and issuer trust as the information does not get outdated, unlike card information stored on file.
When a transaction is initiated by the customer, the token requestor is responsible for sending the token information to the card network via the acquiring bank. The card network in turn communicates with the token vault to obtain the respective PAN and passes the same onto the card issuer. The card issuer is responsible for processing the request and executing any security protocols while relaying the transaction success or failure back to the network and the merchant. Despite there being additional steps in the payment process, these take place behind the scenes and do not impact the customer experience or transaction time significantly.
Despite tokenisation being the seemingly obvious choice, implementation challenges would need to be considered and overcome to achieve widespread adoption. Changes will be required to incorporate tokenisation of card numbers which will increase the implementation time, but the benefits of offering tokenisation heavily outweigh the impact and costs.
There are a few additional challenges that need to be taken into consideration. Current regulations permit tokenisation of card credentials on mobiles/tablets only. With the growth of e-commerce assisted by the card-on-file functionality and emergence of new contactless payment modes, extending the guidelines to cover new uses cases like e-commerce, IoT and transit should be considered. Extending the guidelines on tokenisation to cover e-commerce as a use case will also partly reduce the challenges arising from the guidelines on recurring card transactions where card on file is a necessity. Tokenisation will allow the closest replication of the functionality and usability of card-on-file transactions while also providing significantly more security for both users and merchants.
Recent guidelines will have an impact on card transactions as customer convenience and recurring payments will be affected.
Customers will be tempted to consider other payment modes like UPI, NACH and digital wallets in place of cards. UPI has already eliminated some of the dependence on card transactions by allowing instant payment transactions over the IMPS infrastructure while offering services like proxy identifiers, low-limit recurring payments for subscriptions and low-value EMIs. Digital wallets have emerged as one of the major payment modes through new functionalities such as one-click payments, bill payments, auto debits and marketplace. e-NACH mandates have looked to address the high-value B2B and B2C recurring payment market, allowing customer to set limits and variable recurring payment amounts.
Despite the availability of these alternative methods and their advantages, it is difficult to consider them as replacements for card-on-file transactions. Although UPI has been considered a preferred mode for low-value retail transactions, RBI guidelines are applicable on recurring transactions through UPI. e-NACH mandates lack a seamless user experience with higher mandate initiation times. Also, like digital wallets, they involve additional steps or considerations which again limits their viability as true alternatives.
Source: PwC analysis
The changes in the RBI’s regulations will have a major impact on how customers choose to make payments and on how merchants ensure minimal disruption to the check-out experience. Tokenisation is the logical way forward with minimum impact on customers, but it requires major infrastructure changes by banks and merchants to accommodate the encryption process. There will be a learning curve and the industry as a whole will need time to adapt and adopt tokenisation.
Seamless completion of recurring transactions has been a significant factor for growth of digital transactions in bill payments, subscriptions, etc. While the need for instilling customer confidence cannot be overlooked, it should not be at the cost of their convenience. Ecosystem stakeholders will be required to develop solutions that can maintain a balance between customer data security and convenience on the one hand and satisfaction of RBI requirements and faster adoption by customers on the other.
Glossary | |
IMPS | Immediate Payment Service |
---|---|
NACH | National Automated Clearing House |
NBFC | Non-banking financial company |
PAN | Permanent Account Number |
PSO | Payment system operator |
UPI | Unified Payments Interface |
On 31 March, the Reserve Bank of India (RBI) extended the timeline for processing recurring online transactions by six months. Now banks and financial institutions have time until 30 September to implement the new framework.
The regular automatic payments using debit and credit cards or prepaid payment instruments (PPIs) or UPI will be impacted from tomorrow.
Transaction volumes over the Unified Payments Interface (UPI) more than doubled over a year, touching 2.73 billion in March 2021 compared to 1.25 billion a year ago.
Recurring payments across streaming services, magazines and news portals are likely to be impacted after the RBI’s new notification.
UPI transaction volumes have increased to 2.3 billion (about 77%) compared to last year, and the value has doubled to INR 4.3 crore.
Over the last few days, banks have started sending messages or emails to their credit card users intimating them that any standing instruction for recurring transactions will not be approved by the bank beginning 1 April 2021.
Amazon India wish to convert cash-hardened customer into a digital one.