Reserve Bank of India Introduces Major Change to Cardholder Data Rules
In an increasingly interconnected world, changes in one national or regional economy can have effects that ripple across the entire global marketplace. That’s precisely what’s unfolding right now with new recurring transaction rules mandated by the Reserve Bank of India (RBI).
In August 2019, RBI issued a framework for processing e-mandates on recurring billing transactions. The bank originally advised all stakeholders to complete the process of migrating to the new framework by the end of March 2021. However, due to concerns that this would inconvenience consumers, RBI decided to extend the timeline for stakeholders to migrate to the framework by six months. The projected deadline for compliance is now set for September 30, 2021.
Even with the delayed time frame, though, these changes are still expected to rock the global payments industry. Let’s run down these changes, and see why merchants should be concerned.
Consumer Protections Under the e-Mandate Circular
This is all in reference to a directive issued by the Reserve Bank of India on the processing of recurring transactions known as the e-Mandate Circular. The circular was drafted in 2015 by RBI and the National Payments Corporation of India (NPCI) to enable businesses to collect recurring payments without engaging the consumer for each transaction.
The document outlines customer rights and protections imposed as part of the recurring billing process. These rules apply for card payments with a maximum transaction limit of INR ₹2000 per transaction (around USD$27). Also, in order for the cardholder to provide a mandate for the merchant to conduct recurring transactions, all of the following must apply:
- Cardholders must go through a one-time registration process with two-factor authentication (2FA) before a merchant may process a recurring transaction.
- All recurring transactions must have a predetermined, fixed value.
- All recurring transactions are subject to a maximum value.
- Merchants must send pre-charge notifications to customers before processing a recurring charge.
- Pre-charge notifications must be sent by email or SMS at least 24 hours before any charge.
Confused About Chargeback Rules & Regulations?
Get help from the experts. Click below and learn more.
In addition to the requirements listed above, a merchant must supply “all transaction information” to the customer before conducting any recurring transaction. This includes the following information:
- Merchant name
- Transaction amount
- Date and time of the charge
- Transaction reference number
- Brief explanation giving a reason for the charge
- Instructions informing the customer how to withdraw a mandate for rebills
- Information about how to file complaints and receive compensation from the merchant
Finally, the document stipulates that issuing banks must give cardholders access to an online method of withdrawing consent for rebills at any time. Once the customer withdraws this consent, the merchant will not be allowed to process any further transactions for that mandate.
No Access to Cardholder Information?
The second aspect of these rule changes is perhaps far more impactful. The Reserve Bank of India has also proposed that by online merchants, payment aggregators, and eCommerce websites will no longer be able to store payment card data.
The guidelines, as they’re currently written, refer only to “customer card and such related data.” This is troubling, as the specific definition of “data” used in this case has been left vague by the draft. The “data” in question might include card numbers, expiration dates, or even customer billing information.
By RBI’s own admission, “These new rules will have a significant impact on merchants and solution providers in this region.” The rules have a stated goal of “working to secure transactions and continually introduces new policies, mandates, and regulations to help secure the financial payments system.”
However, this is a cause for concern among retailers. It’s already been pointed out, for instance, that forbidding merchants from storing cardholder information (depending on what that information entails) could make it impossible to manage chargebacks.
How Will Chargebacks be Impacted?
Chargeback management is a complex process. It can require that merchants comb through mountains of records to identify and present the right documentation to the bank. If merchants can’t store cardholder information, though…that will be a problem.
- Delivery confirmation receipts
- Signed orders
- Sales receipts
- Transaction metadata
A merchant has to act fast in the event of a dispute. They need to match transaction data to the cardholder’s claim, which would be extremely difficult if the merchant can’t store that information. This would make chargeback representment nearly impossible for some merchants (at least without the help of a dedicated chargeback management company).
Chargebacks aren’t the only concern plaguing merchants in regard to this ruleset, though. For instance, it would also be extremely difficult to handle customer complaints without the benefit of complete transaction data. Even worse, lack of access to crucial transaction data will make it difficult to accurately diagnose fraud and deploy tools to manage attacks. So, while these rules are meant to protect consumers, they may actually cause more fraud and abuse than they prevent.
Merchants Need Clarification on This Rule Set
No one is certain (as of this writing) if the rule change will affect cross-border transactions. Some parties suggest it will, but others say cross-border transactions are exempt from these data rules. The problem is that everything is still very unclear at this point.
Several large brand retailers have already complained to the Reserve Bank of India about this rule change. They’ve pointed out that their online payment experience would be severely hindered. At the very least, retailers want guidance as to who will be impacted, and how.
Be sure to check back for further updates as this situation continues to develop.