India’s data storage conundrum: analysing the RBI’s perplexing regulations on storage of card data

The Reserve Bank of India (RBI) has, with good reason, been lauded for its contributions to India's fintech revolution. The RBI's progressive approach towards regulation and its attitude towards new technologies and business models have been instrumental in shaping the country's fintech industry and in creating a more scalable, secure, and stable financial services landscape.

Yet, despite these achievements, some of the RBI's more recent policy decisions have baffled fintech stakeholders and have been described, candidly of course, as regressive, and short-sighted. Key among these questionable policies are the restrictions sought to be imposed by the regulator on the storage of card credentials by merchants and payment aggregators.

These restrictions, which were supposed to come into effect on July 1 2021, have been deferred to December 31 2021, and will introduce a new source of friction for card-based e-commerce payments which stakeholders fear could force consumers back to cash payments and undermine the tremendous progress achieved in card adoption over the last decade.

The RBI released its guidelines for the regulation of payment aggregators (PAs) and payment gateways (PGs) in March 2020 (PA/PG Guidelines). The PA/PG guidelines regulate the activities of intermediaries, i.e. entities like Razorpay or PayU, that act on behalf of merchants and allow them to collect payments from consumers through the multitude of payment methods that are available in India. The PA/PG Guidelines require PAs – intermediaries that actually collect money on behalf of merchants – to obtain RBI authorisation and to thereafter comply with various operational and technical requirements.

As expected, the PA/PG Guidelines place considerable emphasis on security, fraud, and risk mitigation. PAs are required to adhere to certain baseline technology conditions and are subject to mandatory system and cyber security audits.

In particular, PAs must comply with the payment card industry data security standard (PCI-DSS) and payment application data security standard (PA-DSS) protocols, which are globally accepted security standards governing the manner in which organisations process, store and transmit credit and debit card data. It may be noted that these protocols are the same standards that banks, and card networks are subject to under Indian law for card data storage. PAs are also subject to direct regulatory scrutiny by the RBI and have quarterly and annual reporting obligations under the PA/PG Guidelines.

Interestingly, the PA/PG Guidelines also impose several obligations on merchants in the interest of security and fraud mitigation. The guidelines, for instance, require all merchants to be compliant with advance security standards including the PCI-DSS and PA-DSS protocols, and require PAs to check such compliance on a periodic basis.

Despite these onerous conditions and obligations, the RBI has severely restricted the ability of PAs and merchants to store and utilise a customer's card credentials. The PA/PG Guidelines explicitly prohibit both PAs and merchants from storing a customer's card data on their databases except for the purpose of 'transaction tracking', a vague phrase which has neither been defined nor elaborated upon. As a result of this prohibition, PAs and merchants will not be permitted to offer customers the ability to expedite future e-commerce transactions by using stored card information.

“Restrictions have been deferred to December 31 2021 and will introduce a new source of friction for card-based e-commerce payments”

This ability to store a customer's card data, often referred to in the payments industry as card-on-file (COF), is a feature that is used world-over by multinational e-commerce companies and payment intermediaries to streamline and accelerate card-based payments.

COF significantly reduces the time required by a customer to complete card payments, and also reduces the likelihood of failed or abandoned transactions since it bypasses the manual entry of the 16-digit card number by the customer. The RBI's current policy on card data storage precludes the use of this technology in India and is expected to derail card-based e-commerce payments from January 2022.

These provisions of the PA/PG Guidelines force PAs and merchants to either ask customers to manually enter their card credentials for every transaction or rely on banks and card networks to store these credentials on the customers' behalf.

From this perspective, it becomes clear that the RBI's policy creates an unlevel playing field for entities in the payments ecosystem. Since the PA/PG Guidelines require PAs and merchants to adhere to very advanced security standards, viz. the PCI-DSS and PA-DSS protocols, which are the same standards applicable to banks and card networks, it is unclear why PAs and merchants have been deemed unworthy of storing card credentials. The RBI has not, so far, provided any rationale for this discrimination or any empirical evidence suggesting that data would be safer with banks than in the hands of merchants.

Most PAs and large merchants implement proprietary tools and robust systems to identify, analyse and prevent fraud on their platforms and networks. These tools play a significant role in fraud and risk mitigation and allow entities to shield their customers from unauthorised payment transactions and also enable them to swiftly initiate post-incident remedial measures to mitigate harm.

However, these tools often require a customer's card data to carry out the required tracking and analysis and card data is often the starting point for any such risk mitigation exercise. Without this data, these entities have no way of taking proactive steps to protect customers, and must, instead rely entirely on the systems of banks and card networks for this purpose.

In addition to fraud and risk mitigation, card data has also allowed merchants and PAs to develop innovative technologies to provide customers a secure and seamless check-out experience. Since merchants and PAs depend on these payments for sustenance, they have a considerable incentive to innovate. For instance, a smooth payment experience may be a key factor that determines whether a customer chooses to buy groceries from one online retailer instead of another. This incentive drives innovation and investment by merchants and PAs and is responsible for the launch of various features in the payments ecosystem such as single-click checkout and machine learning based retry mechanisms.

In contrast, banks have almost no such incentive to innovate. In the current ecosystem, banks gain very little by creating a smooth and seamless payment experience, and have almost no reason to invest money, time, or resources in creating such systems or tools. It is, in fact, for this very reason that the business of payment aggregation has flourished in India over the last 10 years and given rise to unicorns such as Paytm, BillDesk and Razorpay.

From a customer's perspective, restrictions on a merchant's ability to store card credentials could result in a more painful and tedious e-commerce experience. Merchants and PAs rely heavily on a customer's card data throughout the lifecycle of a transaction to facilitate refunds, cashbacks, discounts, reward points, etc. How the RBI expects merchants and PAs to carry out these processes in the absence of card data remains a mystery.

Notably, any disruption to these critical functions would have a devastating impact on the merchant's brand image but would have no corresponding impact on the bank. A merchant is, at the end of the day, the customer's primary point of contact for any e-commerce transaction. A poor refund experience for a customer would, consequently, impact the merchant most adversely, even if it is caused by the issuing or acquiring bank's failure to share card data. The RBI's proposed framework ignores this fact, and instead places merchants and PAs at the mercy of banks who, as already discussed, have little incentive to improve a customer's e-commerce journey.

Nowhere is the dissonance of the RBI's policy perhaps more obvious than in the context of recurring payments. In India, thousands of small and large merchants use recurring card transactions as an efficient way of collecting payments from loyal customers. With the growth of subscription-based business models and the relaxation of certain regulatory restrictions, recurring payment have gained a lot of popularity in India in recent years. However, the RBI's restrictions on card data threatens to undo this growth by adding friction to an otherwise smooth process.

Providers of all subscription services, including video and audio streaming services, gym memberships, and internet connections, require a customer's card data to provide such services on a recurring basis. They need this information to trigger transactions and charge a customer's card in a seamless manner. Without COF, these merchants will need to ask for card information from the consumer at every billing cycle, which would defeat the very purpose of recurring payments. Alternatively, these merchants would need to rely on the acquiring or issuing bank to create 'tokens' or similar instruments in place of card information, the creation of which requires infrastructure that does not yet exist.

Experts in the field agree that these restrictions form a part of the RBI's broader strategy to push the payments industry towards tokenisation. Tokenisation, in the payments context, is a mechanism or feature in which card credentials are replaced with unique surrogate values or 'tokens' for the purpose of conducting transactions.

This need to introduce tokenisation is not, by itself, illogical. COF tokenisation is a well-known card payment feature that is becoming increasingly popular with issuers and merchants around the world due to its security benefits. However, any plan for the large-scale roll-out of COF tokenisation in India is, at best, ambitious. India does not have the regulatory framework or the infrastructure to support such an expansive launch of tokenisation.

The RBI's regulations on tokenisation, which were released in January 2019, for instance, only permit device-based tokenisation. This form of tokenisation depends on a trusted device such as a phone or tablet to store and utilise 'tokens' during payment transactions. However, this framework does not permit cloud-based tokenisation, which is independent of physical devices. Notably, cloud-based tokenisation is an essential requirement for any COF tokenisation feature.

Regulations aside, tokenisation requires the coordination and support of all the players in the payment value chain – acquiring banks, payment processors, card networks, issuing banks and merchants. All these players would need to update their systems and prepare to accept 'tokens' in place of a customer's card data during transactions during all aspects of a transaction's lifecycle, including payment processing, refunds, returns and grievance redressal. Therefore, implementation of COF tokenisation requires a serious overhaul of the entire existing payment infrastructure, not to mention millions of dollars of investment. Not surprisingly, India does not yet have this infrastructure in place, and the country appears several months, if not years, away from COF tokenisation.

The RBI did, in fact, acknowledge the absences of such infrastructure last month when it announced that prohibitions on COF storage would become effective from December 2021 instead of July 2021, as originally provided for in the PA/PG Guidelines. Yet, this six-month abeyance, while certainly welcome, is unlikely to give stakeholders enough time to rebuild their existing systems and make way for a feature as disruptive as tokenisation.

All things considered, the RBI's policy on data storage could have a devastating impact on India's digital payments industry and could inadvertently undo several years of growth in fintech adoption. With December 31 fast approaching, the payments industry needs to work fast and together. Players need to figure out how to address the regulator's underlying security concerns without parting with the data that they have worked so hard to collect.

Click here to read all the chapters from the 6th IFLR Asia Fintech Special Focus 2021

 

---

Probir Roy Chowdhury

Partner

J Sagar Associates

T: +91 80 4350 3618

E: probir@jsalaw.com

Probir Roy Chowdhury is a partner at J Sagar Associates. He specialises in corporate commercial, venture/private equity and information technology/fintech and he has been involved in corporate transactions focused on the high technology industry including cross-border merger & acquisition (M&A) deals.

Probir's regularly advises global technology conglomerates on various areas of information technology law including outsourcing, data protection and e-commerce issues. He has worked on the launch and operation of unified payment interface (UPI) based web payments applications, structuring payment flows for digital content platforms and various other fintech product launches.

Probir has a bachelor of legal science and bachelor of law degree from the University of Pune.

---

Yajas Setlur

Principal associate

J Sagar Associates

T: +91 80 4350 3638

E: yajas.setlur@jsalaw.com

Yajas Setlur is a principal associate at J Sagar Associates. He advises clients extensively on various aspects of Indian information technology, data privacy, IP and e-commerce laws.

Yajas has assisted multinational clients in the local launch of global product initiatives and technology-based service offerings. He has counselled clients on Indian payment system regulations and foreign exchange laws, including regulations pertaining to pre-paid payment instruments, peer-to-peer fund transfer solutions and cryptocurrencies.

Yajas has a bachelor's degree in law from University Law College, Bangalore University.