Most financial frauds today stem from relatively systemic issues, and pushing forward with the Payment Aggregators and Payment Gateways guidelines will have an ambiguous effect on data security while not addressing structural problems
By Gautam Kathuria & Kazim Rizvi
In April 2020, RBI released guidelines addressing concerns over how payment aggregators and gateways collect and store merchant data during the onboarding process. The PAPG (Payment Aggregators and Payment Gateways) guidelines stipulate that a merchant site shall not save customer card and related data. This is likely to signal a shift in digital consumerism in India.
The guidelines were meant to be enforced from April 1, 2021, but in a positive move, RBI recognised the difficulty in compliance faced by stakeholders as well as the increase in customer inconvenience, which led to a six-month extension.
The guidelines require customers to input their card details before every transaction, which might create a barrier for consumption. This will be amplified in the case of digital subscription services such as OTT platforms, which require repetitive payments that were automated before but now require consistent user inputs for renewal. With low levels of digital literacy, it may impact India’s long term goals of financial inclusion.
One major goal to help promote financial inclusion has been making digital platforms relatively simple. For example, making the user experience of engaging in the payment ecosystem more seamless, reducing scope of errors and dropouts, as well as removing impediments to making transactions. In recent years, RBI has taken several steps to implement such measures, including relaxations around additional factor authentication. Considering the emphasis on transaction accessibility as an important step towards financial inclusion, the PAPG guidelines might counterbalance these aims, and this factor must be considered moving forward.
In a world of growing financial fraud and privacy risks, RBI is right to be concerned about who has access to sensitive elements of payment data of customers. However, these concerns may not be well-founded in this particular context, since any merchant compliant with PCI-DSS standards already has in place significant safeguards. This is especially relevant considering that a 2020 RBI circular specifies that payment aggregators would ensure compliance of merchants having PCI-DSS infrastructural standards.
Such a move also invalidates legitimate concerns on the business front. Some of these include the usage of such data to analyse fraud-risk and building systemic responses to mitigate fraud, enhance user experience, customer satisfaction and facilitate product innovation. Another aspect to examine are public interest concerns, prime among which is the centralised exercise of control by a single payment aggregator (PA), which increases the risk of a data breach since all customer card details will be stored by that specific PA.
Considering the rapid move to online payments, businesses have also invested in advanced technologies to authenticate customers and ensure safe transactions, alongside implementing better authentication measures and routinely conducting risk assessments. Fundamentally, it is also unclear whether merchants storing non-sensitive elements of card data for the limited purpose of facilitating transactions seamlessly actually creates any significant risk, especially in light of the security measures undertaken by merchants.
While concerns around sensitive personal data are valid, parties involved in the transaction should be allowed to make a decision. For example, in the case of the European Union, every merchant needs to be GDPR compliant. Such compliance also takes into consideration the purpose of storage, whether the merchant is compliant with the industry standards of data security and based on the consent of the customers.
The limitations being imposed by RBI require careful consideration, since the overarching goal is to balance competing concerns of reducing fraud, protecting privacy and enabling the payments sector to flourish. Therefore, it is important to examine the guidelines while keeping in mind all aspects.
A majority of financial fraud today stems from relatively deep-rooted systemic issues, and pushing forward with the PAPG guidelines will have an ambiguous effect on data security while not addressing structural problems within the ecosystem. The current approach taken by the RBI needs to be revisited through a process of consulting relevant stakeholders to ensure that forthcoming regulation on this front enhances privacy without compromising on goals of financial inclusion.
On the demand side, it is important to push forward schemes aimed at improving consumer education standards while on the supply side, we need to redouble efforts to raise security and certification standards. A regulatory framework encompassing these considerations will create a foundation for all stakeholders in the payment value chain to flourish over the long term.
Kathuria is policy analyst, and Rizvi is founder, The Dialogue