Dear Reader, 

The 19th edition of the Spotlight brings to you an account of the recent regulatory developments on the operationalisation of card-on-file-tokenisation (CoFT). In this edition, we unravel the looming uncertainty which led to stakeholders’ uproar and throw light on CUTS’ successful advocacy efforts in requesting the regulator to extend the deadline for implementation of the CoFT circular.
We look forward to hearing your comments and suggestions!

Unravelling the CoFT Uncertainty

The Reserve Bank of India (RBI), in continuation of its efforts to improve safety and security of card transactions, permitted tokenisation, vide its circular ‘Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services’ (CoFT Circular), dated September 7, 2021. Read with ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’ (PA/PG Guidelines), the RBI barred all entities in the card-based digital payment chain (including merchants and PAs/ PGs), other than Token Service Providers (TSPs), i.e., card issuers (banks) and card networks, from storing consumers’ card details, with effective from January 01, 2022. Entities other than TSPs were directed to purge previously saved card details by this deadline.

What is CoFT?
Tokenisation refers to replacing actual card details with a unique alternate code called a “token”, which shall be unique for a combination of card, token requestor and merchant.

Lacunae Identified
While the RBI’s visionary stance was laudable, stakeholders identified certain concerns/ challenges associated with the operationalisation of tokenisation by the prescribed deadline. Notable amongst them is that in case merchants are required to comply with the deadline of purging all saved card data and not store card data henceforth, and CoFT is not operationalised by then, it will force consumers to undergo the process of re-entering all their card details every time they want to make a card-based digital payment. Other issues have been encapsulated below.

Lack of Ecosystem Preparedness No deadline for TSPs Unintended Adverse Impact on Consumers Lack of Consultation
As a sequential procedure, tokenisation involves an orchestrated effort of multiple entities in the card-based online payments chain to create a robust digital infrastructure that supports tokenisation.
The complexity and interdependency of the system are such that testing, fixing of issues, and re-development of the software over multiple rounds at each level of the payment chain becomes crucial.
This process is likely to take time. However, the RBI had given the entire digital payment ecosystem less than four months to operationalise CoFT.
No technical deadline/ incentive was provided for TSPs to operationalise CoFT by the prescribed deadline.
However, an available deadline of January 01, 2022, was given to other stakeholders to purge card data.
A nationwide consumer survey conducted by CUTS showed that around 82 percent of consumers claimed to face inconvenience in re-entering all their card details for every card-based online payment. This had the potential to impact consumers’ mode of payment preferences.
These have been depicted in the graphs below.
The RBI did not host inclusive public consultation to gauge the challenges/ concerns of different stakeholders on implementing the CoFT circular in a timely, scalable and secure manner.

RBI Notification Extending Timeline by six months
Upon several representations by key stakeholders, and by CUTS (by way of an open letter (available here), survey to gauge consumer perspective (available here), roundtable discussions with experts (available here)), the RBI extended the timeline for purging data by six months via its Notification ‘Restriction on storage of actual card data [i.e., Card-on-File (CoF)]’.

Recommendations and the Way Forward
The extension given by the RBI has been welcomed by CUTS (details available here). However, this is just half a battle won by consumers. The following may be ensured as the way forward.
  • RBI should be more proactive by continuously monitoring the ecosystem and sharing the rationale/ technical soundness of tokenisation directives through literature in the form of Whitepaper or updated FAQs.
  • Adoption of an inclusive consultation process. A compilation on the good international practices for consultation is available here.
  • Adopt the concept of Regulatory Sandbox, and evidence-based regulation-making, through tools such as Cost-Benefit Analysis, to ensure that the cost of regulation does not outweigh its envisaged benefits.
  • Generate consumer awareness and build the capacity of consumers to familiarise consumers with tokenisation.
Prepared by Vidushi Sinha.