MUMBAI (Reuters) – The Reserve Bank of India (RBI) is unlikely to extend a Friday deadline for businesses to set up an additional layer of security for consumers’ credit card data even after some concerns remain over payments failing and revenue losses, say bankers and merchants.
Despite a demand by smaller merchants to delay the compliance date, there has been no indication so far by the central bank that there is likely to be an extension in deadline, three banking and merchant sources with knowledge of the matter told Reuters.
The RBI, India’s central bank, did not respond to an email request for comment.
“The general sense is that banks, card networks and (bigger) merchants are better prepared and so the push from the ecosystem side for an extension has also not been massive and we haven’t received any indication to suggest an extension either,” said a banker with a large state-owned bank.
“If it happens, it will be a surprise,” he added.
Merchants ask Reserve Bank of India for more time
Three years ago, India embarked on a mammoth exercise to secure card data by requiring businesses to tokenise cards by Sept. 30.
Tokenisation is a process by which card details are replaced by a unique code or token, generated by an algorithm, allowing online purchases without exposing card details, in a bid to improve data security.
The RBI first introduced the norms in 2019 and after several extensions has ordered all companies in India to purge saved credit and debit card data from their systems by Oct. 1, 2022.
While banks, card companies and large retailers are prepared, smaller merchants may face trouble which they say could lead to revenue losses for them in the short-term.
Merchant associations have also reached out to the central bank to see if they can be given more time.
Some merchants and bankers also fear card-related transactions may drop in the short-term after tokenisation norms are introduced.
“The moment an additional layer or friction is introduced, payments seem to drop. And there are concerns that initially we may see recurring drop by similar levels to what we had seen,” said Rohit Kumar, Founding Partner of TQH Consulting, a public policy consulting firm.
When the previous tokenisation deadline was nearing, recurring payments were failing by 10-15%, according to merchants.
Stress tests beyond payments
Apart from payments, other things that need to be stress tested include what happens when a product is returned and other post-transaction flows as card data will not be stored on the merchant servers, said Rajaram Suresh of Boston Consulting Group.
Unlike India where it has been made mandatory, European stakeholders have been encouraged to tokenise cards for security benefits, Suresh added.
However, analysts argue that at a time when digital payments are expected to reach the $10 trillion mark by 2026, tokenisation is imperative. Fraud concerning card or internet transactions have been on a rise and made up 34.6% of total number of fraud cases in FY21, according to central bank data.
“People are used to one-click checkout so adoption may take more time and some people may shift to cash but considering that this makes online transactions more secure, customers will adopt this faster without much chaos this time around,” said Jagdish Kumar Senior Vice President of Worldline India.
(By Nupur Anand; Reporting by Nupur Anand; Editing by Josie Kao)
Related article: Reserve Bank of India won’t budge on local data storage rules