As the year 2021 slowly nears its end, online businesses are getting slightly anxious about complying with the saved cards and tokenisation guidelines issued by the Reserve Bank of India (RBI).
In March 2020, the RBI said merchants can’t store users’ actual debit or credit card details beginning January 1, 2022. It has now postponed the deadline to June 30, 2022.
On the face of it, this sounds like a major setback for e-commerce companies as buyers won’t be able to use their saved cards for quick checkout, which might result in a higher rate of cart abandonment.
However, since consumers’ benefit was at the heart of the RBI’s circular on saved cards, the apex bank offered a solution as well: tokenisation of cards.
What does tokenisation mean?
In simple terms, tokenisation is the process of concealing sensitive details such as the 16-digit debit or credit card number into a unique set of codes, also known as tokens.
RBI has mandated the storage of tokenised debit and credit card details instead of the actual data to improve the safety and security of the payment system.
This directive from RBI kills two birds with one stone: instil confidence in online shoppers to make digital payments without any fear and take away the pressure from e-commerce companies to safeguard users’ sensitive card details.
RBI’s decision to stop online merchants from storing card details is a result of two years of experimentation and multiple discussions with relevant stakeholders.
Let’s understand what happened in the span of the last two years.
Deconstructing RBI’s saved card and tokenisation circulars
In January 2019, RBI kicked off this landmark change in the country’s fintech space with its circular on tokenisation.
In the circular dated January 8, 2019, the RBI said card network providers can carry out tokenisation in debit or credit card transactions via mobile app, QR code, Near Field Communication (NFC), and a few others. It allowed card network providers to offer tokenisation services to any token requestor such as third-party app providers.
In March 2020, RBI widened the ambit of its 2019 circular and said, “neither the authorised Payment Aggregators (PAs) nor the merchants on-boarded by them can store customer card credentials within their database or server.”
It is to be noted that till August this year RBI had not proposed any solution regarding merchants not being able to offer saved card payments, also known as Card-on-File (CoF) to users.
In September 2021, RBI issued a fresh circular detailing and extending the device-based tokenisation to CoF Tokenisation (CoFT) as well. It essentially means that instead of saving users’ card details, e-commerce companies will have to partner with card network providers to tokenise details for fast checkout.
|Timeline||Directives||Impact on the industry|
|January 8, 2019||RBI allowed card network providers to tokenise card-based transactions.|
However, this was limited to payments on mobile apps, QR codes, NFC, and a few other payment types.
|Card network providers such as Visa, Master Card, RuPay, and American Express had to integrate tokenisation technology with their network.|
These companies also had to prepare themselves to provide tokenisation services to third-party app providers.
|March 31, 2021||RBI said neither e-commerce companies nor payment gateway and aggregators can save users’ card details.|
This directive was limited to payments on mobile handsets and tablets.
|All the companies that have been saving card details had to comply with the RBI’s regulation by July 2021.|
This would have directly affected e-commerce companies as saved card features help them in reducing the cart abandonment rate.
|August 25, 2021||This time, RBI expanded its previous directive to include payments happening on laptops, desktops, wearables, and IoT devices.||While RBI extended the deadline of complying with its previous circular to December 31, 2021, it increased the ambit of the application.|
|September 7, 2021||RBI allowed card network providers to tokenise saved cards transactions or Card-on-File payments.|
Just like its previous circular, it asked network providers to certify e-commerce and payment gateways as token requestors.
This means that the end-customers can tokenise their saved cards for faster checkouts.
|Online businesses that have saved users’ card details will have to partner with a network provider before December 31 this year to comply with the rules. (The deadline has now been postponed to June 30, 2022)|
Else, they will have to delete all the card details that have been saved on their servers.
How will CoF Tokenisation affect customers?
Online buyers are the real winners here. The RBI has put the end-user’s safety at the center of this rule.
On one hand, it has ensured online businesses can’t store users’ card details anymore, on the other hand, it has allowed the usage of tokenisation so that customers enjoy a faster buying experience with saved cards. Just like they used to.
Online shoppers who have saved their card details with different e-commerce, travel, and ticket booking websites, will have to give their consent and provide them with an additional factor authentication via an OTP to tokenise their saved cards.
Once their cards are tokenised, customers can continue to pay online by choosing one of the saved cards.
The effect of RBI’s guidelines on merchants
For e-commerce companies, the saved cards feature has been a saviour as it increases the chances of customers going through the checkout process and buying the products in the cart.
However, by the end of June 2022, online merchants will have to either delete their users’ saved cards or allow them to save the tokenised version of their card details.
Also Read: NPCI Rolls Out Tokenisation Mechanism for RuPay Cards
The RBI has mandated e-commerce companies to take explicit consent from their users and further authenticate it with an OTP before their card details can be tokenised. They also have to provide users with an option to delete their tokenised saved cards from the platform.
How can online businesses abide by the RBI guidelines?
As per the RBI guidelines, only card network providers such as Visa, Master Card, American Express, RuPay and others can use tokenisation technology to save customers’ sensitive card details.
To enable tokenisation, online businesses will have to directly partner with a card network provider. For an easier integration, online businesses can also choose to work with their existing payment gateway like Paytm Payment Gateway to tokenise customers’ credit and debit cards.
Going forward, merchants will have to choose either of these options if they wish to continue offering faster checkouts with the saved card feature.
How Paytm Payment Gateway can help businesses
Paytm Payment Gateway has always been on top of the changes that happen in the industry.
Ever since the RBI released the new guidelines for tokenisation of cards, we have been working with the relevant stakeholders in the industry to come up with an apt solution for our existing as well as new merchants.
To enable online merchants to comply with the RBI guidelines, we have launched Token Gateway Solution. We have partnered with major card networks to provide our merchants with a comprehensive and single integrated solution.
Paytm Token Gateway Solution is suitable for:
- merchants who have been saving users’ card details on their own servers
- merchants who leverage payment gateways or aggregators to store card details
This is hands-down the easiest way to comply with the RBI guidelines and provide users the comfort of faster checkouts. Get in touch with our experts now who will guide you on how to get started with tokenisation.