Card tokenisation: a 3-month reprieve from another regulatory curveball

If India’s card tokenisation rules had kicked in on 1 July as planned, it would have upset online commerce for millions of India's merchants. The banking regulator’s third extension has taken the deadline to September, but three months may not be enough for stakeholders to get it together

So far, only 195 million card tokens have been generated. This is a fraction of the amount required to transition ~1 billion credit and debit cards to token-based flows

Online merchants are yet to adequately test token based payments and there is no solution in place for online guest checkouts which account for over half of online commerce

While progress has been made on issuing tokens for cards, processing them for payments is still a work in progress and has seen limited uptake among merchants

Getting everything ready in 90 days will require all stakeholders to work together and give merchants time to test. Any stumbles could set the ecosystem back several steps

Just six days ahead of a rather tricky deadline, the Reserve Bank of India (RBI) has issued a reprieve. Albeit temporary.

The country’s banking regulator had decreed that by 30 June, all online merchants and payment processors had to stop storing customer card data. Instead, they would have to implement something called card tokenisation—the process of replacing information such as the debit card or credit card number with a surrogate alpha-numeric code called a token, generally issued by card networks such as Mastercard, Visa, and Rupay.

However, in two separate statements on the evening of 24 June, the RBI extended the deadline for both purging stored customer data and implementing card tokensation to 30 September. This is the third such deadline extension that the RBI has granted the new card information storage rules, first introduced in March 2020.

And it appears to be signalling a shift in the central bank’s thinking about the system’s preparedness.

Earlier this month, RBI’s deputy governor T Rabi Sankar had indicated that the regulator felt the system was adequately prepared for implementing card tokenisation. “The progress has been satisfactory. Over the last several months, our teams have been constantly discussing with all stakeholders… The system is by and large prepared,” Sankar said said Moneycontrol Ecosystem largely prepared to implement tokenisation, says RBI Dy Governor T Rabi Sankar Read more at the time.

But in its Friday statement, the RBI noted that while there has been “considerable progress” in generating card tokens, processing transactions using them is yet to fully take off. In addition, no alternate solution has been implemented for guest checkouts—a transaction where customers manually enter their card details instead of storing them with a merchant.

If the shift had been implemented as planned, it would have had a significant impact on the over 200 million online transactions that occur on credit and debit cards each month in India. As of May 2022, India had a total of ~1 billion outstanding credit and debit cards, according to RBI data.

The most significant impact, though, would have been on guest checkouts. According to estimates shared by executives with payment processors, such transactions account for between 50% to 60% of the overall volume.

“There are readiness problems with guest checkouts across the ecosystem,” a senior digital payments executive at a large bank told The Ken, a few hours before the RBI announced the extension. They added that while banks, payment processors, and card networks have been interacting with the regulator and each other on the issue, there’s no immediate solution on the horizon.

AUTHOR

Jaspreet Kalra

Jaspreet covers banking, financial technology and digital assets. He is a graduate of St. Stephen’s College, Delhi and Columbia University’s Graduate School of Journalism. Jaspreet has previously worked with CoinDesk and Bank Automation News. When unoccupied with work, he can be found pretending to read hardbacks while listening to stand-up specials.

View Full Profile

The only business subscription you need

Unrivaled analysis and powerful stories about businesses in India and Southeast Asia from award-winning journalists. Includes access to longform articles, premium newsletters across a range of topics depending on your interest and our top-ranked podcast. For those who want to be prepared for what comes next.

So much journalism in India is superficial.

Articles are generic, almost cookie-cutter in their approach. And they don’t provide enough context on the issues they cover. The Ken is different. I don’t always agree with everything they say but I appreciate their commitment to publishing deeply reported narratives and investigations. Their reporters find new ways to analyze tech among other industries. And that’s always worth a read.

Sid Talwar / Co-Founder and Partner / Lightbox Venture Capital

As entrepreneurs, we thrive on being in the know at all times.

A personal subscription to The Ken was a no brainer. But as startup founders, this isn't enough. Team members also need to be in the know, for everyone handles customer-facing responsibilities and an ecosystem change that impacts customers also impacts us

Kiran Jonnalagadda / Co-founder / HasGeek and Internet Freedom Foundation