So, what actually is tokenization. It refers to the replacement of credit and debit card information with a "token," which will be unique for each card. The actual card details are not shared with the merchant during transaction processing, a tokenized card transaction is considered safer. Customers who do not have access to the tokenization service will be required to enter their name each time they place an online order.

The main motive of RBI enforcing Tokenisation?

Digital payments have spurred and supported economic growth, particularly during the pandemic's difficult times. At the same time, RBI's intent is to protect a variety of stakeholders - from payment gateways and aggregators to banks, wallet providers, as well as merchant sites, and consumers. Consumer interest via tokenization, making a more secure environment for the digital economy. The payments ecosystem in India have led to a greater degree of streamlined coordination between these financial institutions. The digital payments industry, is one of the pillars of India's rapidly growing digital economy. This stellar growth is being actively driven by the rise in supply and demand-side dynamics. On the demand side, a rapidly growing consumer base, driven by increasing smartphone penetration and availability of the internet, has brought about a paradigm shift in digital financial inclusion. Digital modes of payment, though still lagging behind cash payments, have emerged as strong competitors. The supply-side dynamics are built on a foundation of fierce competition, technological innovation, and an overall focus on consumer convenience in integrating digital financial services in their everyday lives.

The RBI has taken a proactive role in providing a regulatory foundation for this growth and is now attempting to strike a balance between consumer convenience and the security of financial data.

Tokenisation Helping Card Payment Networks

Tokenization has no direct impact on the payment process or the user experience, but it does provide an additional layer of protection to the transactions. It ensures that a person's sensitive information stays with them as they transact, eliminating all dangers associated with data vulnerability.

  • The on boarding of several small businesses has given further impetus to the growth of digital payments, with payment service providers providing incentives for businesses, including automated account-keeping services and the requisite hardware and software integration.
  • Policy frameworks promoting the adoption and penetration of digital payments and a conducive environment for cashless payments, necessitated by Covid-19, have accelerated the development of this sector. There is also a greater thrust on the role of digital payments in integrating online and offline markets.

Impact of Tokenisation on Customers

  • Convenience or ease of use is valued by consumers and is an important determinant for the adoption of digital payment technologies. It has been observed that customers often use services of the same merchant on multiple occasions. Therefore, the facility of not having to insert card details for each transaction is an important convenience. Being able to quickly pay without having to repeatedly enter details is an important consideration for making repeat purchases on e-commerce platforms. Therefore, if merchants are unable to store card details without any alternative mechanism, the customer experience can suffer significantly.
  • The ability to pay through stored financial details can also impact the adoption of digital payment methods. For groups with limited digital financial literacy, including rural customers and the elderly, significant hand-holding is required to partake in digital payment systems. Customers often rely on family, friends, as well as agents of financial institutions to adopt digital payments that help them set up a solution and save the required details. Amplifying the requirement to repeatedly enter details can add complexity to the process and require continuous hand-holding.

Impact of Tokenisation on Merchants

  • A cumbersome experience for customers affects the business of online merchants. Businesses with an online presence, strive to build long-term relationships with customers in order to ensure repeat purchases. Repeat transactions are especially important for businesses providing subscription-based services since these services involve regular weekly, monthly or yearly payments. If businesses are unable to provide regular customers with a smooth card payment experience, they risk losing the customer, which may lead to a loss of revenue. The loss can especially affect small merchants substantially.

  • Companies utilize consumer data, including financial data, to innovate and personalize their product and services. The inability to store data may hamper these capabilities.

  • Tokenization requirements might cause online shops, particularly small businesses, to lose up to 40% of their earnings, pushing them to close their doors.

  • For merchants, uncertainty over the manner of processing refunds and to the consumer with tokens instead of card details still looms, necessitating immediate actions. Merchants will need to assess whether the provided solution supports the security policy requirements with the tokenization systems to identify unauthorized access.

The challenges in implementing the guidelines

The RBI's proposal is well-intentioned; its goal is to improve data security and reduce the risk of data breaches; however, it is a significant departure from current standard operating procedure for digital payments transactions, and it may necessitate a major overhaul of existing tech systems.

The issues aren't merely technological; they're also business-related. Tokenization requires digitization in some way.

Currently, implementation is also a concern due to interdependence of stakeholders.

Therefore, a time-consuming and resource-intensive overhaul of internal mechanisms may be required. Merchants with a global presence may be able to implement these changes due to their financial strength and experience with tokenization in foreign jurisdictions.

Security Challenges

Security concerns about tokenization vaults primarily arise since it creates a copy of the sensitive data and moves it to another location. Rather than effectively securing the data, it creates a single point of attack in tokenization infrastructure while acting as a high-risk target for data thefts. In a way, tokenization reduces security risks on the merchant side but transfers this risk upstream to the issuer.

It has been pointed out that using the same method for the same merchant can raise multiple security risks. If a malicious individual is able to retrieve the method and proceeds to conduct a dictionary attack, the payment card information could potentially be recovered. Further, any cybersecurity framework exists on three pillars - Confidentiality, Integrity, and Availability. There is a tendency to focus on confidentiality and availability of data while the integrity of the data is left unaddressed. However, if the integrity of the data is suspect, then that defeats the purpose of confidentiality and availability.

Tokenisation aims to limit the number of stakeholders who will hold this data. This also means that a dataset won't have any redundancy as well as lack the means to arrive at integrity in the event of a major failure. The failure could arise from not only hacking but also cascading coding failures.

To ensure a more seamless transition toward the new system, the recommendations have been further explained below.

  • By extending the deadline, all the stakeholders in the ecosystem have to be equipped to implement the framework, including small banks and businesses. Extending the deadline by at least six months would be beneficial for the digital ecosystem.

  • Phased Implementation and Auditing will ensure smooth implementation of the proposed systems and avoid consumer and merchant inconvenience. A phased program could be designed to be implemented over the course of several months, where the RBI audits every bank and card network primarily to ensure that their systems are in place for the seamless flow of transactions.

  • Analysing security standards for stakeholders Considering the scale and ambitions of the country's digital payments sector, it is imperative that the security standards being implemented are analysed sufficiently.

  • RBI should aim to adopt a more consultative and transparent approach. Taking lessons from the disruption caused by the e-mandate regulation, the RBI must provide sufficient time and ensure ease of compliance to minimize disruption in the ecosystem while implementing new systems. This is a healthier model to aspire towards, rather than waiting for post-implementation non-compliance and retrospective action, which hinders the consumer experience and causes loss of business to merchants and others who are operating on the current system.

  • Another factor that would help the RBI become more transparent is to publish stakeholders' responses, either anonymized or public. This would ensure accountability and provide transparency.

Finally, the system—that is, regulators, businesses, and the government—must provide safety. Consumers in India do not have access to a comprehensive and timely dispute resolution mechanism. Multiple regulators in the banking and other sectors adds to the complexity. All of the regulators engaged have a dual mandate: to promote the industry's growth while also providing oversight. Consumer protection and interests aren't at the top of the regulatory priority list. Delays in the courts do not help. As a result, the next step is to put in place an effective consumer dispute and grievance resolution system.

.     .    .