In March 2020, the Reserve Bank of India (“RBI”) released the Guidelines on Regulation of Payment Aggregators and Payment Gateways (“Guidelines”), which created a regulatory framework for the operation of payment aggregators (“PAs”) and payment gateways (“PGs”). To supplement and clarify these, we understand that the RBI issued Clarifications to these Guidelines on Regulation of Payment Aggregators and Payment Gateways (“Clarifications”). NASSCOM had requested RBI to issue such a clarification in our representation dated 24 June 2020. However, we understand that the clarifications had been issued through select industry bodies for circulation amongst their members and NASSCOM was not involved in this engagement or provided these Clarifications. Since RBI has issued these Clarifications, it is likely that these will be used as an interpretation yardstick in the future even as these are not currently in the public domain.
Based on industry feedback, we have highlighted certain key issues and concerns arising from the Clarifications.
1. Lack of clarity on why limitations on data storage by merchants and PAs has been prescribed
The Clarifications seem to have broadened the scope of the restrictions on data storage, which were envisaged by the Guidelines. While it appears that these restrictions have been imposed for the purposes of ensuring security and fraud prevention, it is unclear as to how limiting data storage will achieve this purpose. Instead, at times additional data may be required to screen transactions for fraud or illegal activity. Further, we note that the Guidelines provide technology related recommendations on information security, data security, security incident reporting, etc. that are mandatory for PAs. PAs are already required to undertake a comprehensive security assessment during the merchant on-boarding process to ensure that the baseline security controls are also followed by merchants. In the presence of such detailed security controls, it is not apparent why limitations on data storage by merchants and PAs has been prescribed.
Subscription businesses, including Over-the-top (OTT) and media platforms, need to store card data to provide their consumer services on a recurring basis. consumers expect subscription services to be provided in a seamless manner and provide merchants with consent to store and charge their card information until they cancel the service in accordance with RBI regulations. Moreover, consumers can seamlessly cancel their subscription digitally at any time. Without card data on file, merchants will need to ask for card information every billing cycle which will frustrate consumers and result in business disruption.
When a consumer makes a transaction and explicitly agrees to store card data with the merchant, the merchant becomes the first and foremost point of contact for consumer experience, customer service, fraud, refunds, etc. Without card data, merchants will not be able to perform basic functions such as resolution of consumer complaints/disputes, consumer service and speedy resolution of refunds requests and will be completely dependent upon PAs and banks to provide the same. While PAs have a regulatory obligation to resolve disputes, merchants still need to prioritize and resolve consumer concerns as consumer satisfaction is critical for their business. A deprecated consumer service would increase the number of consumer grievances and escalations, which could have been easily managed at the initial stage by the merchant itself.
Such merchants invest heavily in offering seamless and innovative payment experiences to their consumers in line with RBI’s vision of “Empowering Exceptional (E) Payment Experiences.” These innovations are often dependent on storage of card data. For example, merchants will be unable to provide customized checkout and single click payment, resulting in unnecessary friction for consumers.
We have informed RBI that a detailed submission on industry concerns in case merchants are prohibited from storing card data has already been made by us. We requested RBI to kindly consider our representation to RBI dated 24 June 2020 along with this submission.
We requested RBI to:
● Clarify or publish FAQs confirming that PCI-DSS compliant merchants who meet other applicable onboarding requirements in the Guidelines may continue to save customer card and related data.
● Confirm that PAs may continue storing card details subject to deployment of appropriate security standards and any further security related guidelines or specifications as RBI might suggest.
● Develop a framework to store card data to encompass the security measures (PCI-DSS compliance), reporting requirements and governance mechanisms. The PA may be made responsible to confirm merchant’s compliance with the framework. This may provide the right visibility to RBI and balance the needs of the merchant.
2. Definitional issues
a. Scope of ‘Payment Data’
While the Guidelines prohibit merchants from saving ‘customer card and such related data’, the Clarifications seemingly broaden this prohibition by stipulating that merchants are not permitted to store ‘payment data’. However, merchants can store limited data for transaction tracking. There are several definitional ambiguities in these prohibitions. At the outset, the scope of ‘related data’ in the Guidelines was not clear, leading to uncertainty as to the range of data, which could be lawfully stored by merchants. The Clarifications do not shed light on this and instead cast a wider net – the prohibition on storage now captures ‘payment data’ rather than only customer card and related data stipulated previously.
Distinction may be made on type of payments data; provided by customer (card data and other PII), generated by merchant/ e-commerce and data provided to merchant by PA/PG. However, neither the Guidelines, nor the Clarifications contain any definition of ‘payment data’.
We requested RBI to:
● Provide clarity on the scope and ambit of the terms ‘payment data’ (as referred in the Clarifications), ‘related data’ (as mentioned in the Guidelines).
b. Lack of clarity on scope of activities
Storage and Processing: The Clarifications place prohibitions on the ‘storage’ of payment data by merchants and of customer card credentials by PAs. However, there is no clarity on the treatment of activities such as processing and transfer of the data. Here, it may be noted that the FAQs related to the Localization Directiveii had made a distinction between storage and processing of payment data to the effect that payment data was to be stored in India but could be processed outside India. No such distinction has been made out here. This not only affects the ability of merchants and PAs to plan their operations, but also results in ambiguity over how the regulatory framework will be enforced.
Scope of ‘Transaction Tracking’: Under the Clarifications, merchants and PAs have been permitted to store limited payment data and customer card credentials respectively, for the limited purpose of transaction tracking. However, the Clarifications do not contain any guidance as to the meaning of ‘transaction tracking’. Transaction tracking could possibly be for ‘live’ transactions, i.e. tracking to monitor whether an individual transaction has been completed. Tracking could also be done at an aggregate level, to assess the overall success/ failure rate of transactions made in relation to a particular merchant or through a particular PA. Based on the understanding of ‘transaction tracking’, the scope of data which can be stored by the merchant or PA would accordingly narrow or widen. Therefore, it is critical that a clarification as to the scope of ‘transaction tracking’ is made.
We requested RBI to:
● Provide clarity on the treatment of activities such as storage, transfer and processing of the data.
● Provide clarity on the scope and ambit of the terms ‘transaction tracking’ (as referred in the Clarifications)
c. Scope of exception for delivery versus payment and postpaid transactions
In paragraph 1(d), the Clarifications state that delivery versus payment transactions (“DVP transactions”) are not subject to the provisions in the Guidelines. It has been further explained that transactions in which the payment is made in advance and goods are delivered in a deferred manner, are subject to the Clarifications. However, this exemption provision leads to a few ambiguities.
First, a definition or precise understanding of DVP transactions has not been provided in the Clarifications. In this scenario, it is not clear which types of transactions would be exempted. For example, it is unclear whether post-paid models of sale would be exempted, wherein the good or service is provided to the customer before payment. For instance, wherein user is offered goods and services upfront but card is charged later basis the stored card details by the merchant.
Second, the Clarifications state that they apply to deferred delivery of goods. It is unclear whether the same are applicable to deferred delivery of services, especially where services are utilized over a period of time (including cases where the entitlement/ right to the goods/ service has been duly received upfront, however, this may be utilized at the customers’ discretion subsequently with no risk of non-delivery).
Third, the Clarifications do not specifically distinguish between B2C and B2B business models of commerce. In this context, it is uncertain whether the provision of online services such as advertising provided on a B2B basis would be covered within the ambit of the Clarifications and the Guidelines, or not.
Fourth, in paragraph 1(c), the Clarifications state that the Guidelines are applicable to e-commerce marketplaces that are undertaking direct payment aggregation; and e-commerce marketplaces availing services of a PA shall be considered as merchants. Given the above, it is unclear whether other models of e-commerce such as inventory based e-commerce fall outside the scope of the Guidelines.
We requested RBI to:
● Confirm that the definition of DVP and DVP exemptions as mentioned in the Clarifications, will be interpreted in accordance with the 2009 Intermediaries Guidelines.
● Confirm that merchants and e-commerce entities doing DVP transactions ( as per 2009 Intermediaries Guidelines) be exempted from storing payments /user card data.
● Provide additional clarity on industry prevalent payment models ( pre-paid) where payment and delivery of goods and service happens simultaneously.
● Issue a FAQ/clarification on scope of exemptions as applicable.
We have requested RBI to formally publish the Clarifications on its website so that any ambiguity on the genuineness of the document gets eliminated.
Read our previous blogs on PA/PG Guidelines here.
For any questions or clarification on this issue, please write to firstname.lastname@example.org.