The Reserve Bank of India (RBI) is unlikely to extend a Friday deadline for businesses to set up an additional layer of security for consumers' credit card data, quoting bankers and merchants, Reuters reported on Thursday. According to the report, the bankers and merchants are fearing this move could lead to payments failing and revenue losses.
As of now, there has been no indication by the RBI that there is likely to be an extension in deadline despite a demand by smaller merchants to delay the compliance date, quoting banking merchant sources, Reuters said.
"The general sense is that banks, card networks and (bigger) merchants are better prepared and so the push from the ecosystem side for an extension has also not been massive and we haven't received any indication to suggest an extension either," said a banker with a large state-owned bank. "If it happens, it will be a surprise," he added.
Three years ago, India embarked on a mammoth exercise to secure card data by requiring businesses to tokenise cards by September 30.
What is tokenisation?
Tokenisation is a process by which card details are replaced by a unique code or token, generated by an algorithm, allowing online purchases without exposing card details, in a bid to improve data security.
The central banking regulator first introduced the norms in 2019 and after several extensions has ordered all firms in India to purge saved credit and debit card data from their systems by October 1, 2022.
While banks, card companies, and large retailers are prepared, smaller merchants may face trouble which they say could lead to revenue losses for them in the short-term.
Merchant associations have also reached out to the RBI to see if they can be given more time. Some merchants and bankers also fear card-related transactions may drop in the short-term after tokenisation norms are introduced.
"The moment an additional layer or friction is introduced, payments seem to drop. And there are concerns that initially we may see recurring drop by similar levels to what we had seen," said Rohit Kumar, Founding Partner of TQH Consulting, a public policy consulting firm.
According to merchants, when the previous tokenisation deadline was nearing, recurring payments were failing by 10-15 per cent. Apart from payments, other things that need to be stress tested include what happens when a product is returned and other post-transaction flows as card data will not be stored on the merchant servers, said Rajaram Suresh of Boston Consulting Group.
Unlike India where it has been made mandatory, European stakeholders have been encouraged to tokenise cards for security benefits, Suresh added. However, analysts argue that at a time when digital payments are expected to reach the $10-trillion mark by 2026, tokenisation is imperative.
Data from the RBI said that fraud concerning card or internet transactions have been on a rise and made up 34.6 per cent of total number of fraud cases in FY21.
"People are used to one-click checkout so adoption may take more time and some people may shift to cash but considering that this makes online transactions more secure, customers will adopt this faster without much chaos this time around," said Jagdish Kumar, senior vice-president, Worldline India.