The central bank, which took industry feedback on the readiness of banks and card network operators to meet the new deadline, is now expected to hold another meeting with the latter.
Sources indicated that card network operators and banks are yet to share their APIs (application programming interface) for tokenisation integration, an issue the regulator is expected to take up with them.
“The card network operators have to share technical specs (APIs) with banks, merchants and payment aggregators. It hasn’t been shared so far; there is no integration with our systems,” said a senior official with a payment aggregator that was part of the meeting. “We as payment aggregators have come up with our solution but there is no backward and forward linkage to the whole tokenisation process.”
Other merchants also have similar grievances. “Have the banks figured out how to issue tokens, or how are they saving them? We have no clarity on these issues and how the integration will work with us,” said a merchant, on the condition of anonymity. “The entire process is painfully slow.”
These issues are expected to be taken up at the meeting, the official cited above said. The central bank did not respond to an email query.
On December 23, RBI deferred the implementation of the mandatory tokenisation of card transactions by permitting merchants to store data until June this year following representation from the industry, which said it was unprepared for the transition.
The regulator’s second extension of the deadline for merchants to purge the card data of customers came amid heightened anxiety among the merchants community, especially those that have built businesses around the recurring payment mandates.
Banks claim they were ready to meet the December deadline itself.
“The merchant end is a very large tail. Having said that, even the large merchants are not ready but there is a lot of time in hand to plug that as far as our bank is concerned. A lot of our cards are already tokenised,” said a senior official with a private sector bank. “As far as the whole rule is concerned, some amount of clarity has to come in on standing instruction transactions and what happens to guest checkout transactions where the customer is entering all the data. So we hope the regulator will clarify these.”
RBI in March 2020 said that payment aggregators and merchants onboarded by them would be prohibited from storing card details of customers to improve data privacy and protect frauds in online transactions. That was supposed to come into effect from June 2021. Industry sought time to transition to tokenisation of transactions. So the RBI set a new deadline of December 2021, now extended by another six months.