The Reserve Bank of India (‘RBI’), in March 2020, released guidelines addressing concerns around the manner in which payment aggregators and payment gateways (‘PAPG’) collect and store merchant data during the onboarding process. The PAPG guidelines, in Rule 7.4, prohibit merchant websites from storing card-on-file and related data. Compliance with the aforementioned provision will be challenging and has the potential for business disruption. The driving reasons behind the same are the data security and privacy concerns raised by such a mechanism. This point of view has been reinforced by their criticism of security standards such as PCI-DSS and PA-DSS, which they feel are not robust enough, and the implementation of these standards has not stopped data
breaches of card data in the past. The RBI, in August, relaxed a few of the Additional Factor of Authentication (‘AFA’) requirements. However, it’s still important to analyse if these decisions are optimal for the long-term health of the financial regulatory frameworks in this country.
The objectives behind the discussion were that of dissecting the ‘PAPG Guidelines’, examining the primary concerns raised by various stakeholders and analysing the efficacy of the revised e-mandate guidelines. The panellists agreed that before drafting guidelines within this space in particular, it’s important to consult industry experts and key market players. Their familiarity with the concerns faced not only by consumers but other PA/PG, will allow for greater ease of compliance and will boost the country’s digitization efforts.
