Experts say it is crucial, that the ecosystem of multiple payments instruments in the country, along with bigger adoption of digital payment methods for recurring use cases, continue to grow.
Digital payments have soared during the pandemic, along with the advancement of technology. Such developments, however, also carry a threat of fraud and other security concerns. When it comes to digital payments, RBI follows the ‘safe, secure, simple and fast’ mantra to facilitate the growth of a strong and vibrant payments industry ecosystem. Especially with more and more Indians going online and using digital payments as the primary means for effecting transactions, fraud and security have become a paramount concern.
The RBI has taken several steps to mitigate these kinds of risks and threats to make the payment environment safe for customers. Furthermore, on 7th September 2021, the RBI issued a circular, saying, “With effect from January 1, 2022, no entity in the card transaction or payment chain, other than the card issuers and/or card networks, will be able to store the actual card data. Any such data stored previously will be purged.”
Additionally, “for transaction tracking or reconciliation purposes, entities can store limited data such as last four digits of the actual card number and card issuer’s name – in compliance with the applicable standards,” said RBI.
Rameesh Kailasam, President and CEO, Indiatech.org says, “RBI had extended tokenisation to multiple electronic devices now which was earlier limited to mobile phones and tablets. With this circular from the RBI, it would ensure that customer now will not be forced to input card details for every transaction under the tokenisation arrangement while concerns around the safety of digital payments get addressed as well.”
Tokenization is when an anonymised set of characters are used against the original payment credential of any card. Instead of an actual card number, an irreversible token reference is used, using an advanced algorithm with a matching expiry date, which becomes hard to crack.
However, some experts believe one of the means of restricting storing card-on-file, which effectively prohibits merchants and payment aggregators to store card details of customers starting December 31, 2021, maybe excessive and disproportionate to these objectives.
In a recent webinar organized by the Confederation of Indian Industries (CII) in association with the Society of Indian Law Firms (SILF) on Future of Digital Payments – Regulation, Consumer Interest and Innovation – some of India’s distinguished legal experts felt that when companies and organizations that are already compliant with the globally accepted standard for security and have received consent from the customers, should be allowed to store such data.
Justice (Retd.) A. K. Sikri, Supreme Court, pointed out in the webinar that while there is a need to tackle the issue of frauds (which however cannot be eliminated), restrictions should be ‘reasonable’ and must serve a legitimate state aim. He added, “there is already a regime in play due to the globally accepted PCI-DSS standards. Merchants’ fundamental right of carrying out business should be minimized, and regulations must be in line with the doctrine of proportionality and doctrine of necessity.”
Gulshan Rai, Former National Cyber Security Coordinator, Government of India in the Office of Prime Minister, said that the whole (stated) purpose of security of the consumer’s data is not going to be solved by this regulation and that wider discussion needs to be held. “Convenience of the consumer must be held in paramount importance. We must find a solution balancing the four principles of safety, simplicity, security and speed (for overall convenience). Integrity, authenticity, non-repudiation and security of data and assets are paramount,” said Rai on the webinar organized by CII.
He further added that no system is 100 per cent secure, and questioned the need to over modify and convolute things, saying, “when you implement PCI DSS standards and the best practices are followed, fraud gets minimized. These are the international, global, uniform standards. We must not devise our own way.”
Commenting on the Future of Digital Payments webinar, K. V. Viswanathan, Senior Advocate, Supreme Court said “Prohibiting merchants from keeping card data on file was not thought of during the discussion stage. Seeking payment authentication every time would drive away from the consumer.” He further said, “EMI and other recurring payments would take a hit, and the current regulation would therefore not serve any real purpose. On the contrary, it would go against the Digital India vision of the Prime Minister of India.” Lastly, he highlighted that the purpose of the regulations appears to be controlling data storage, not security, which is already covered by the Personal Data Protection Bill.
Amol Kulkarni, Director (Research), CUTS International, emphasized the need for customers to be consulted during the policymaking process, on the CII organized webinar. He pointed out that today 72 per cent of low-income users have no access to digital payments as yet. He observed that consumers need to be at the pivot of regulations, and regulation must ensure that the potential unintended consequence of digital exclusion for consumers across income groups is avoided.
Industry experts say the digital payments market in India is likely to grow to more than 300 per cent of its current size, to Rs 7,092 trillion by 2025, on the back of multiple positive initiatives like Digital India and the Digidhan Mission, along with the growing digitization of merchants. This will be accelerated by the fact that on unique mobile payment users, India has already recorded the highest ﬁntech adoption rate in the world at 87 per cent, beating the global average by a full 20 per cent points.
However, experts say it is crucial, that the ecosystem of multiple payments instruments in the country, along with bigger adoption of digital payment methods for recurring use cases, continue to grow.