Reserve Bank of India’s tokenization regulation explained

The Reserve Bank of India (RBI), India’s central bank and regulatory body, last year announced a ruling for the handling of consumer card data and recurring payments that explicitly states transactional data must not leave the country and must reside in local storage within India. These regulations are aimed at ensuring the security, confidentiality, and integrity of financial transactions, as well as promoting transparency and consumer protection but creates a complex problem for companies looking to expand into India. So, what does Reserve Bank of India’s tokenization regulation mean for merchants operating in or expanding to the Indian market, and how can they remain compliant while reaping the rewards of a fast-growth digital commerce market?

What is the Reserve Bank of India’s tokenization regulation and why was it implemented?

The Indian e-commerce market is expected to grow to $111.40 billion USD by 2025, and $350 billion USD by 2030. In 2019, the government announced ‘Digital India’ with the aim to transform the country into a digitally empowered society, and encourage more businesses and consumers to embrace digital technologies. This transformation was only accelerated by the COVID-19 pandemic, and now, India is one of the largest and fastest-growing markets for digital commerce. 

However, with an increase in e-commerce, there has been an increase in data breaches. India has suffered a number of mass data breaches across a number of sectors in recent years. This included Know Your Customer (KYC) information as well as credit card and bank details of the nation’s consumers. Given the number of debit and credit card holders in India has been steadily increasing over the years, with almost 900 million active debit card holders and 64 million active credit card holders by the end of 2020, this leaves a large target for fraudsters. 

To try and combat the rise of cybersecurity woes, RBI announced in March 2020 that merchants and payment aggregators had 15 months to “purge” all card data that had been stored, add tokenization, and devise an alternative mechanism to handle recurring payments that would involve the storage of card-on-file (CoF) data by organizations other than card issuers and card networks. That deadline was then extended until 30th June 2022, after pressure from industry stakeholders. 

What does Reserve Bank of India’s tokenization regulation mean for merchants?

The new policy affects a number of key players, namely merchants, banks, and intermediary payment systems. Until banks, card networks, and payment gateways are live with consumer-ready solutions, merchants are stuck. And while a number of leading banks are ready, merchants, on the other hand, are not yet set-up at the backend for adoption, and customers who have stored their card details online through various platforms would be affected. 

Even with the deadline extension, merchants that are operating in or expanding their business to India have little time to deploy tokenization with only the resource of in-house development teams. Complex payment infrastructure requires dedicated in-house payment teams, incurring technical debt, inflexibility, and potential regulatory challenges. 

So, how can merchants act quickly?

Future-proof your payments by taking them to the cloud

Affected companies could become compliant by setting-up their own data centers, which would entail setting up both IT components and other non-IT components (including large servers). However, while companies’ own data centers provide complete ownership and control, deploying a new data center is expensive and time consuming as it entails numerous activities such as:

• Finding the right location
• Hiring several vendors
• Deploying resources to build and maintain it
• Certifications such as PCI DSS/ PA-DSS
• Security audits as applicable
• …and much more

Additionally, setting up such a data center can take several months and could end up becoming one of the largest projects a company undertakes. There are alternatives available to building and expanding one’s data center as merchants become compliant – including integrating scalable cloud-native payment infrastructure while eliminating the need to hire large payments teams.

To build scalable cloud-native payment infrastructure, merchants must add a layer that can orchestrate and standardize all the payment methods that consumers require in a way that utilizes the benefits of cloud computing without taking on the burden of PCI compliance. Server-less functions should remain dormant until a consumer needs that payment method. Unified reporting should be replicable and available wherever an accounting team sits – home or otherwise – and Edge computing should push user experiences closer to customers and their specific needs.

The advantage of being able to scale payment infrastructure up and down based on peaks and valleys in a merchant’s annual sales cycles is a huge benefit of a cloud-native payment orchestration platform. Moreover, it offers significant savings that can increase the bottom line.

‘Go Data-Centric’ and ‘Get Regulatory Compliant Privacy’ concerns have increased around the world. Data breaches continue to rise, leaving customers sceptical of how their data is held, with governments reacting in turn to protect their citizens. Several countries have blocks and set rules on what and where data can be kept on their citizens. 

In addition to RBI’s requirements, the industry has seen examples on a global scale, including European GDPR rules, and the fallout from the collapse of the Privacy Shield regulation which means that if a US Customer Service agent looks at customer data, then there is a breach of privacy even if that data is held locally. The problem is that most payment companies and solutions are not built to be distributed, and breaking a monolithic stack into parts is a challenging task for a payment processor and a merchant.

To become future-proof and ready to deal with the rapidly changing regulations, merchants need to start looking towards the benefits of Edge computing, which can keep data local while still allowing access to locally regulated payment companies and types.

How can edge computing and payments help merchants stay compliant? 

Edge computing is a distributed computing paradigm that brings computation and data storage closer to the edge of the network, and closer to where data is generated and consumed. By processing data locally – at or near the source – edge computing reduces latency, enhances real-time processing capabilities, and minimizes the need for data transmission to a centralized cloud infrastructure.

In the context of the payment industry and Reserve Bank of India’s tokenization regulation specifically, edge computing can have several potential applications, such as:

• Localized compliance – In countries like India, where data sovereignty and compliance requirements are important considerations, edge computing can help ensure that payment data remains within the geographical boundaries of the country. This can aid in complying with local data protection regulations
• Data security and privacy – Edge computing can enhance data security and privacy by keeping sensitive payment data within the local network or device. This can reduce the risk of data breaches and unauthorized access, as data doesn’t need to be transmitted to a remote cloud server for processing
• Faster transaction processing – Edge computing can reduce latency in payment processing by performing certain computations locally. This can be particularly beneficial for real-time transaction verification, fraud detection, and authentication, enabling faster and more efficient payment experiences

Although now mandated by RBI for India specifically, merchants across the globe should be future-proofing their business and remaining compliant to PCI regulations by tokenizing customer payment details at the payment service provider (PSP) level, or even deeper at the association level.

Managing these tokens and keeping them up-to-date in a controllable manner can be a major headache for merchants, and a drain on development resources. It is essential to develop a strategy for keeping this updated, particularly with network tokens, as it can create cost savings if done correctly. To future-proof even further for global growth, merchants should be considering a strategy that is cloud-native and Edge-ready to stay locally compliant. 

Edge computing should push user experiences closer to customers and their specific needs such as this one in India. To become future-proof and ready to deal with the rapidly changing regulations, merchants need to start looking towards the benefits of Edge computing, which can keep data local while still allowing access to locally regulated payment companies and types.

The advantage of being able to scale your payment infrastructure up and down based on peaks and valleys in your annual sales cycles is a huge benefit of a cloud-native payment orchestration platform. Moreover, it offers significant savings that can increase your bottom line.

As payments move to the cloud, merchants mustn’t be afraid to modernize payment infrastructure, take on digital transformation and go global. Look to build or buy cloud native payment orchestration that takes advantage of the benefits of cloud technology, such as auto-scaling, Edge computing for local compliance, and cloud-based self-updating vaulting technology. With this foundation, you will be able to take on whatever the future holds.

With cloud-native Infrastructure-as-a-Service (IaaS) payment orchestration and optimization solutions like Gr4vy, merchants can utilize the benefits of cloud computing without taking on the burden of PCI compliance, and remain locally compliant while adding the orchestration layer to standardise all the payment methods that Indian consumers require. If you want to do business in India while remaining compliant, get in touch with our team today to see how Gr4vy can help.