The Merchant Payments Alliance of India (MPAI) and the Alliance of Digital India Foundation (ADIF) on Wednesday urged the Reserve Bank of India (RBI) to extend the card-on-file (CoF) tokenisation deadline of December 31 for merchants.
Citing several operational challenges that will hinder the transition to the token-based payments ecosystem, the industry bodies voiced their concerns over industry readiness on the RBI directive on card-on-file tokenization.
MPAI and ADIF said that 'ecosystem readiness' is a sequential process of going live with stable API (application programming interface) documentation for tokenised transactions.
The digital payments ecosystem is a long way from consumer-ready solutions and unless regulated entities are compliant, merchants will not be able to successfully process tokenised transactions, they said in the joint letter.
"In the scenario that banks are lax on preparedness, the brunt of that will be borne by merchants in the form of loss of revenue - we are looking at revenues losses of anywhere between 20-40 per cent at the minimum should that be the case," said Sijo Kuruvilla George, Executive Director, ADIF.
The RBI in September prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of CoF tokenization as an alternative to card storage.
The industry bodies said that if implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants.
"This unpreparedness will impact recent digital payments adopters even deeply. The frequency and intensity of phishing attempts will go as entire card details are to be entered for each transaction, causing a significant increase in irreversible fraudulent transactions," said Vishal Mehta, Chair of Governing Council, MPAI.
Based on the set of guidelines that have been mandated by the RBI, sensitive customer information is to be stored in the form of an encrypted 'token' to help secure transactions.
These tokens then allow payments to be processed without disclosing the customer details or allowing the payment intermediaries to store customer data that could breach security and privacy.