What comes first — convenience or security?
The Reserve Bank of India’s soon-to-be-implemented rules on storage of credit and debit card customer data have prompted a familiar debate as retailers argue that the new rules will inconvenience customers, while others say they reduce the risk of a data breach.
Come July, single-click and recurring payments that could earlier be done by just entering the card security code (CVV) will need customers to re-enter their entire card details. This, as the RBI has barred merchants and payment aggregators from storing customer card credentials within their database or servers, as per its March 2020 guidelines that come into effect this July. The regulations are silent on whether payment gateways, who route and facilitate the processing of online payments, can store this data.
At present, the card details of a customer are allowed to be stored by online merchants, e-commerce websites, and payment aggregators that act as intermediaries between card-issuing banks and merchants.
Ahead of the implementation of the new rules, online retailers and the IT industry Nasscom have pushed back.
A group of online merchants, including Flipkart, Netflix, Zomato, Microsoft and Amazon, that claim to have over 25 crore customers carrying out digital transactions with them in India, wrote to the RBI requesting exclusion of Payment Card Industry Data Security Standard level 1-compliant merchants from the guidelines.
“Enabling merchants who meet the applicable security standards to continue to store cards on file will avoid large-scale interruptions in consumer experience, business operations and digital payments adoption,” the group said in a Feb. 1 letter, reviewed by BloombergQuint.
Besides, not allowing merchants to store card data will impede their ability to resolve customer complaints and process refunds. “A deprecated consumer service would increase the number of consumer grievances and escalations, which could have been easily managed at the initial stage by the merchant itself,” Nasscom said in a January note that highlighted issues based on industry feedback.
The industry representations have so far not deterred the RBI.
In its master directions on digital payment security issued on Feb. 18, the regulator asked scheduled commercial banks (excluding regional rural banks), small finance banks, payments banks, and credit card issuing non-banking financial companies to ensure point-to-point encryption and secure storage of customer card details based on norms prescribed by the PCI-DSS. This suggested that entities other than those specified would not be permitted to store such data.