Reserve Bank of India (RBI) issued a notification in September 2021. According to it, no entity in the card transaction or payment chain can store data from June 30, 2022, other than the card issuers and card networks. From June 30, 2022 onwards, payment aggregators (such as Stripe) have to use network tokens for payment processing instead of the actual credit or debit card number. The goal of this regulation is to prevent online fraud by keeping customers' critical financial information secure from card data breaches and restricting malicious actors from stealing funds from individuals and organizations.
What are Network Tokens?
Card networks such as Visa or Mastercard offer network tokens to replace the actual credit or debit card number for online payments. It reduces the risk of exposing sensitive card details such as card numbers while only the card networks can retain this information.
What are the new guidelines?
The following are guidelines mentioned by the RBI:
Payment aggregators (such as Stripe) have to use network tokens to refer to the card details and process payments instead of the actual credit or debit card number.
Collect cardholder consent to store the card details and use them for recurring payments.
Perform 3D Secure authentication and other RBI e-mandate-related requirements before saving the card details.
Give the customers an option to delete their token from their merchant platform.
What are the impacts of the regulation?
Now your gateways will have to work internally with the Card networks to tokenize the card details and not store them on their end. Stripe has already started using network tokens. For more details, contact Stripe to check if your account is updated with the same.
Success rates for recurring payments on India-issued cards are likely to drop as banks may ask the customers to re-enter their card details.
Who does the RBI tokenization regulation apply to?
Merchants having businesses based in India with customers paying with domestic cards must comply with the regulations. Also, the merchants with businesses based outside of India and have customers paying with India-issued cards must be prepared as they may be affected as well.
What do you need to do to comply with this regulation?
You need to get explicit consent from your customers before saving the card details. If you are using Stripe, they get the required consent as a part of the 3D Secure authentication process. So, there is no action required from your end separately.
Make sure you have the PayNow link configured in all the dunning and customer emails so that the customers can pay for their pending invoices as one-time payments in case automated recurring payments fail.
If you are facing payment failures after the enforcement of this regulation, you can check with your respective payment gateways to improve the success rate.
Click here for more information associated with RBI e-mandate regulation.