Towards a tokenization framework for cards
The Merchant Payments Alliance of India (MPAI) seeks to channel its collective operational experience to engage constructively with the policy and regulatory ecosystem as the voice of the merchant industry. As merchants, we are the first point of contact with consumers. We keep a keen ear out for their concerns and feedback and generate value by offering personalized solutions to meet their needs.
We refer to the Reserve Bank of India (RBI’s) Circular dated September 07, 2021, on Card on File (CoF) tokenization (available here), read with Guidelines on Regulation of Payment Aggregators and Payment Gateways (available here and here), prohibits merchants from storing customer card details on their servers with effect from January 01, 2022, and mandates the adoption of CoF tokenization.
These recent directives on processing online card-based transactions lay much-needed emphasis on security and fraud mitigation. We at MPAI welcome the intended objectives behind these directives and agree that card on file tokenization is a step in the right direction. That said, there are several operational challenges that can hinder the transition to the token-based payments ecosystem. Key among these is in terms of participation levels by banks and card networks in the tokenization framework.
The tokenization framework
A successful tokenization transaction involves the creation of tokens, sharing tokenized card details and transaction information, verification of tokens at the back-end, and relay of authentication prompts between banks. Thus, merchants, Token Service Providers (TSPs), acquirers, card networks, and issuers must share transaction and authentication information within an interconnected technological infrastructure.
Migration to this framework will address safety and security concerns, provided that stable technical systems are implemented on an ecosystem level i.e. by banks, card networks, payment aggregators/payment gateways (PA/PGs), and merchants.
However, in the absence of ecosystem readiness with tokenization solutions, once merchants and PA/PGs are forced to purge card data, services such as grievance redressal, cashback, and rewards, EMI payments, recurring (auto-debit) transactions, and guest checkouts will break down, causing direct harm to consumers.
In this blog, we explain how attaining ‘ecosystem readiness’ is a sequential process of going live with stable API documentation for tokenized transactions. We highlight how today, the digital payments ecosystem is a long way from readiness and lastly, how the implementation of tiered timelines for compliance can help minimize disruption of consumer services.
The sequential process of ‘ecosystem readiness’
In respect of tokenized transactions, ‘readiness’ with technical systems must be viewed holistically from the end consumer’s perspective, and not as a compliance mandate of a particular bank or card network. Thus, consumers should be able to successfully conduct payment transactions using tokenized card details for the ecosystem to be considered ‘ready’. Developing these functional consumer-ready solutions entails a sequential process of API integration among all stakeholders in the digital payments ecosystem.
Essentially, this is a top-down process wherein issuers and card networks must first test develop, and go live with a stable application programming interface (APIs) enabling CoF Tokenization. PA/ PGs build, test, and roll out their solutions on top of the API documentation shared by issuers and card networks. Only thereafter, can merchants integrate their internal payment processing systems to these available solutions. Merchants cannot create the relevant infrastructure and appropriately align their technical systems unless their preceding ecosystem partners i.e PA/ PGs, card networks, and issuers are already.
Importantly, unless stable state API documentation is passed down the payments value chain stakeholders will have to undertake periodic bug fixes and system updates. Consumers as a result would face lags, failed transactions, and undue delays in transacting. Ecosystem readiness therefore must depend on the consumer’s ability to seamlessly transact within a tokenization framework. Thus, merchants’ ability to seamlessly migrate to the new tokenization framework depends on the participation of the rest of the payments ecosystem, particularly – banks and card networks. Without this, even compliant merchants would be unable to avoid large-scale disruptions to the consumer experience and business operations, which may, in turn, erode digital payments adoption.
State of ecosystem readiness today
Under the tokenization framework, only banks and card networks are permitted to tokenize and de-tokenize card details as Token Service Providers. Merchants only issue tokenization requests to the Service Provider, at whose end the tokens are authenticated against the actual card details for fulfillment and delivery. Without issuers and card networks first being ready with adequate technical systems for generating tokens and enabling transaction fulfillment, available ‘plug n
play’ solutions for tokenization will not work.
Tokenization of card data broadly involves two steps in sequential order. These are ‘token provisioning’ and ‘token processing’. Token provisioning entails the generation of unique tokens representing a combination of the customer’s card details and the merchant. Token processing entails transaction fulfillment using tokens, where under the Token Service Provider matches tokens against the customer’s card details for authentication.
Today, banks and card networks are not prepared to process any transactions with tokenized card data. The tokenization solutions that technology service providers (such as JusPay, PayU, PhonePe, and PayTm among others) have announced are currently not capable of successfully completing transactions using tokenized card data. It is unlikely that banks, networks, and PA/PGs will be ready with functional consumer-ready solutions by the December 31, 2021, deadline set by the RBI.
Further, merchants are yet to receive stable API documentation from PA/ PGs that can help them build customer-facing checkout applications. It is worth noting that merchants cannot start testing and certification their systems, until issuers, acquirers, and PA/ PGs are certified and live with stable APIs. In any case, absent ecosystem readiness, even compliant merchants would either lose out or be unable to monetize their digital services and product offerings – merely due to lapses in implementation with technical regulations. These needless disruptions stifle our ability to unlock the transformative power of digital payments to propel India towards a $5 trillion economy.
Need for stakeholder consultation Merchants have been mandated to delete stored card data, but no stakeholder in the digital payments ecosystem is mandated to create any alternate solution, including the regulator-approved solution i.e. CoF tokenization. Notable experts have expressed concerns around the issue: “It is very good that tokenization is introduced, however, merchants are last in the queue in the cascading IT arrangement involving card networks and banks. At this time unfortunately, banks are not ready. A lot of handholding is taking place between some specific banks but smaller banks are still struggling to fall into the system. Unless the entire ecosystem is ready, such deadlines will not help.” - Aruna Sharma (Former Secretary, Government of India and Member, RBI Digitization Committee, speaking at CUTS roundtable on “Implementing RBI's Tokenization Circular in Consumer Interest”) “The mistake out here is that [the RBI] did not come out with a whitepaper, which would have gotten feedback” - Vijay Chugh (Former Head, Department of Payment and Settlement Systems, RBI, speaking at CUTS roundtable on “Implementing RBI's Tokenisation Circular in Consumer Interest”)
Way forward – ensure readiness through tiered timelines
Should the no-card storage obligation trigger in the absence of ecosystem-wide card tokenization solutions, merchants regardless of size will be unable to provide life cycle management services such as refunds, redressal of complaints, and rewards. Further, recurring payments, guest checkouts, EMIs and personalized checkout services would be impacted. As a result, the consumer experience would be tedious and be prone to errors, lags, and failures.
To address these concerns, we recommend that:
A. Tiered timelines be enforced for compliance with the above RBI directives.
Banks, card networks, and technology service providers should first implement tokenization solutions, and thereafter merchants can be allowed an additional six-month period to integrate with the same.
B. Timelines to comply with the PA/PG Guidelines should be extended by at least six months post readiness by banks and card networks.
Merchants and PA/PGs should be required to purge card data once card networks and banks are ready and migration to the tokenization framework is complete on an ecosystem level.
C. Compliance levels of banks and card networks in terms of readiness with tokenization solutions be monitored by the RBI
Even if a single issuer or acquiring bank or card network fails to complete integration with tokenization solutions, merchants would, despite their own best efforts, be unable to effectively serve all consumers having accounts or cards at such bank or card network. Thus, the RBI should monitor compliance levels of banks and card networks in terms of readiness with tokenization solutions. RBI should also require card networks and banks to demonstrate their consumer-focused readiness on tokenization before (a) requiring merchants to integrate with the system and (b) requiring merchants to delete card on file information.
D. Consumer awareness is key
Consumers should not have to struggle through their confusion like they did post 30 September on the e-mandate regulation. Therefore, the RBI along with banks and supported by the rest of the ecosystem must diligently ensure consumer awareness and knowledge building in this regard.