loader image
Plastic money abstract concept vector illustration.

What are the new RBI norms with regard to recurring card payments? – All you need to know

Have you recently started receiving mails/SMS from various banks and service providers asking to re-register your e-mandates for automated payments such as OTT, newspaper subscriptions, etc?. This is because of the new RBI guidelines with regard to recurring transactions, coming into force from October 1, 2021. 

 

What are these new RBI norms?

 

In another step to secure digital transactions via credit/debit card, PPI or UPI, RBI has implemented the new auto debit rules. As per the new norms, all such transactions will have to be further secured with an additional factor of authentication (AFA) – 2-factor authentication. Any transaction, whether domestic or cross-border, using cards, without AFA, would be discontinued.

 

New rules for Automatic Payments – A Snapshot

 

Process
Transaction amount <= INR 5,000
Transaction amount > INR 5,000
Registration of e-mandate
A one-time registration process of card, with AFA validation, irrespective of transaction amount 
Processing of first transaction
Transaction will be processed, with AFA validation
Pre-transaction notification for subsequent transactions
  • Customer will receive a notification giving information about the debit 
  • Nothing further has to be done & the debit will be executed
  • Customer will receive a notification, at least 24 hrs prior to actual debit for approval
  • Approval through 2-factor authentication
  • Post successful AFA, card will be charged
Managing of e-mandates
The issuer to provide online facility to pause/cancel the e-mandate at any point of time, requiring AFA 

Source: RBI

 

Further to this, the bank/issuer is required to take additional information such as the validity period of the e-mandate, etc at the time of registration. And if required, the facility to modify the validity period, shall also be provided.

 

The banks also need to send a post-debit notification to the cardholder, once the auto-debit is processed. And, finally set up a redressal mechanism to address customer grievances related to this.

 

What will be its impact on payments?

 

This move is introduced in an attempt to protect consumers with regard to safeguarding of pre-stored data relating to cards and avoiding digital frauds. And especially those consumers who hastily give their consent to unnecessary automated payments and fall prey to data breaches.

 

With the new guidelines coming into implementation, all such recurring payments need to be reviewed and re-registered with respective issuing banks to avoid transaction failure.

 

However, these will only impact standing instructions (SIs) on cards. The automated instructions under UPI Autopay, e-NACH and other SIs to banks will not be impacted.

 

The directive will empower card users and will give them more control over their transactions. They can now determine and set the amount, velocity, etc, thereby managing such recurring mandates efficiently.

 

Way forward

 

For end consumers

 

Initially, this will impact customers to some extent, as the previous payment mode was meant to provide them with a seamless experience (especially for transactions above the INR 5,000 cap in B2B usage). Also, such payments may move to other alternate modes of payment such as e-NACH, UPI, etc for a better customer experience. However, in the long run with awareness they will realize that such regulations are for their benefit as it will eventually increase the security on card transactions. 

 

For Businesses

 

These guidelines will encourage businesses particularly, small & medium sized businesses to reach out to untapped customer base and build new business models in and around subscription payments and help grow this market multi-fold in the coming years.

 

To sum it up, the entire payments ecosystem is going through changes due to these regulations and all stakeholders are getting impacted in one way or the other. It will require banks/card companies/fintechs in the payments space to provide such portals to comply with the new regulations. However, there is still a long way to go as not only the banks/card companies, but the merchant/merchant aggregators’ ecosystem also needs to be in a state of readiness for its successful implementation. 

 

Learn More

Banking as a Service (BaaS) – Entering into a New Era of Financial Ecosystem

From the past few years, there has been an increase in the number of sectors like Travel, Retail, SAAS, etc expanding themselves into financial services.

 

Well, Banking and Fintech is a collaboration that is still very new in the Indian economy. The new normal has definitely shaken up the world and it has impacted the traditional banking system. From visiting a branch to opening an account online has been a major revamp in the industry – to be honest, this is just the start.

 

New Fintechs every day are disrupting the old traditional ways of banking and challenging our generation to think something out of the box now and then.

 

BaaS is a vast topic and the meaning of this is changing as per the ask of the end customer every day. Let’s try addressing the details one by one.

 

What is BaaS? 

 

In layman’s terms – BaaS is a process that allows fintechs and third parties to connect with banks via APIs. From opening an account to creating FD’s, etc everything can be done with the help of BaaS. 

 

Offering these services to an end customer is not so easy and requires a lot more regulatory processes to be in place. For eg: issuing prepaid cards – requires PPI license, giving credit to customers – requires NBFC license, and so on and so forth.

 

How does this work?

 

Banks obviously have licenses to offer various services, so they expose their systems to BaaS providers and these providers in return pay to banks for using their services. BaaS will allow businesses to fit the financial technologies and then the businesses will provide new solutions to end customers as per their needs and requirements.

 

Generally, the BaaS model begins with Fintechs, banks or Third party Providers paying fees to the BaaS platform. The financial institutions will open up their APIs to TPPs, thereby giving permission to access the systems and information required to build new banking products or offer white label banking services. 

 

Let’s understand how this is different from old traditional ways of banking

 

In today’s era, opening an account is just a matter of a few minutes compared to the days where opening a bank account required walking to the branch. 

 

Today, if someone has to send money to their children/relatives sitting abroad – trust me, it’s not a task anymore. Of course, this requires the regulatory practices to be in place, however, there are fintechs who are supporting this while simultaneously abiding by the regulatory guidelines.

 

To change the entire structure in the back end and front end for banks is not an easy task and requires a lot of investment. In this case, the banks approach BaaS or Tech service providers to plug in the system and provide end-to-end services to the customer. 

 

Future of BaaS

 

Everyday the financial industry is coming across a new development, the landscape is changing rapidly. Banks, Fintechs and businesses are coming across new requirements frequently. Reaching out to new segments of customers and solving a problem statement is also a new revenue stream for the banks as well as fintechs. 

 

Banks teaming up with the service providers and reaching out to end customers for providing innovative solutions is much required. APIs and applications play a major role in bringing these changes and need to be developed in a responsible way to provide long-term efficiency and scalability.

Learn More

Secure Online Payment Processing Concept - Making Secure Payment

Tokenization: Creating a stir in the Payments Industry

In today’s world, increasing online frauds and cyberattacks are causing security and trust issues among the general public in the adoption of digital payments, and these data security issues have become a major concern for online service providers. The service provider has been looking into ways to reduce this risk. One such solution is “Tokenization,” a new buzzword in the payments industry. Tokenization adds an extra layer of security to users’ sensitive data and prevents online and digital data breaches.

 

The concept of digital tokenization is inspired by the concept of physical tokenization, which has existed since the invention of currency. Token coins replace actual coins or banknotes in physical tokenization. These token coins have a real identity and value, but they only have meaning in a limited and controlled space. For example, casino tokens have no value outside of the casino’s premises.

 

The payments card industry is using digital tokenization to protect users’ sensitive data and provide better customer assurance in order to increase their trust. It is a low-cost and simple-to-implement solution for merchants.

 

What is Tokenization?

 

Tokenization is the process of encrypting sensitive data by replacing it with an unreadable token. The tokens can then be passed through the internet or the various wireless networks required to process the payment without exposing actual bank details. The actual bank account number is kept secure in a token vault.

 

Tokenization is commonly used to combat credit card fraud. It relieves merchants of the burden of storing sensitive card data of users, reducing the work and effort required to be PCI DSS compliant.

 

How does it work?

 

A customer makes an online purchase through an e-commerce website or offline through a merchant POS and then chooses a credit card payment method. The customer enters sensitive data on the portal, such as card number, CVV and cardholder name or enters a PIN on the POS machine. The card data collected is stored on the tokenization server rather than the e-commerce website server. The tokenization server processes the card data, stores the original card data on the Secure token server and generates a token of the same length from a random alphanumeric string. The token is then forwarded to the merchant’s acquiring bank. The acquiring bank sends the token to the card network, which processes it and shares card details with the issuing bank for payment authentication. Payment is completed when the issuing bank responds to the card network. The Card Network is the only entity that can read the token.

 

Tokenization Vs Encryption 

 

Data encryption and tokenization are similar in the sense that they both replace original data with a random code, but they are vastly different in terms of ciphering mechanism. 

Sensitive data is mathematically changed into a new code in data encryption, but the original data can be deciphered with the appropriate key. However, because there is no relationship between the token generated and the original data, the token cannot be reversed in the case of tokenization. Even if hackers obtain the token details, they will be unable to retrieve original data from that information, rendering the token meaningless and useless to them.

Tokenization is widely used by the payments industry across the globe due to its data security offering. Furthermore, it provides the following benefits to all stakeholders involved in the transactions. 

  • Customers can develop trust in online transactions as the likelihood of theft or leakage of sensitive data decreases significantly.
  • The merchant, acquirer and processor do not need to be concerned about the user’s sensitive data being compromised even in the event of a cyberattack because they do not store any such information. 
  • Merchants can provide a trusted and secure payment environment for their customers without obtaining PCI DSS certification, saving them the cost of such certification.
  • Tokenization of payments creates a safe and secure environment for users, merchants, payment gateways, financial institutions and regulatory bodies.

Tokenization is currently only available with Networks in India. Issuers must still evolve to make this a reality. 

 

The RBI issued a directive in 2020 stating that merchant payment aggregators and payment gateways could no longer store card credentials. To increase cardholder safety, RBI guidelines require a full-time shift, which is why tokenization must be implemented. And now there will be a plan in place for every issuer, merchant and network to implement this.

Learn More

Digital wallet abstract concept vector illustration.

What is PPI? How can a business benefit from PPI?

PPI stands for Prepaid Payment Instrument, PPI is a method that facilitates the purchase of goods and services against the value stored on such instruments. The value stored on such instruments represents the value paid for the holder, by cash, by debit to a bank account, or by credit card.

 

The prepaid instruments can be issued as smart cards, magnetic stripe cards, internet accounts, online wallets, mobile accounts, mobile wallets, paper vouchers, and any such instruments used to access the prepaid amount.

Some of the common examples of PPIs include Paytm and Gpay, gift cards, and debit or credit cards. In today’s piece, we take a look at three types of prepaid payment instruments.

  • Closed System PPIs
  • Semi-Close System PPIs
  • Open system PPIs

Closed System PPIs:

These are PPIs issued by an entity for facilitating the purchase of goods and services from that entity only. No cash withdrawals are permitted. These instruments cannot be used for payment or settlement for third-party services. The issuance and operation of such instruments are not classified as a payment system and do not require approval/authorization from the RBI.

 

Semi-Closed PPIs

These are PPIs issued by banks (approved by RBI) and non-banks (authorized by RBI) for purchase of goods and services, including financial services, remittance facilities, etc., for use at a group of clearly identified merchant locations/establishments which have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments. These instruments do not also permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.

 

Open System PPIs

These are PPIs issued by banks (approved by RBI) for use at any merchant for the purchase of goods and services, including financial services, remittance facilities, etc. Cash withdrawal at ATMs / Points of Sale (PoS) terminals / Business Correspondents (BCs) is also allowed through these PPIs.

 

How can a business benefit from PPIs?

 

Prepaid payment instruments in the form of mobile wallets, multipurpose, multicurrency, prepaid cards can accelerate sales, customer loyalty, and profitability. You can earn significant revenue for every transaction made through mobile wallet-enabled prepaid cards you issue.

Businesses must leverage PPIs to tap into the gigantic 760 million smartphone users base in India, who will most likely shop online and pay using mobile apps and wallets.

Using prepaid instruments, you can enable bank-like domestic and cross-border payments, but with greater efficiency, flexibility and security. Armed with the ground-breaking PPI reforms announced by the Reserve Bank of India (RBI), every business in India must ride the PPI wave to reap the utmost benefits.

The following are significant measures announced in the 2021 RBI monetary policy review, applicable from March 31, 2022.

  1.  PPIs can offer Real-Time Gross Settlement (RTGS) and National Electronic Funds Transfer (NEFT) facilities to their users.
  2. Interoperability of full KYC PPIs is mandatory.
  3. The maximum balance of mobile wallets doubled to INR 2 lakhs from INR 1 lakh.
  4. Cash withdrawals enabled for full-KYC PPIs of non-bank PPI issuers (in addition to bank issuers)

These reforms have the potential to level the playing field between banks and non-banks, incentivize full KYC PPIs, and drive greater financial inclusion. Businesses that accept payments and remittances through prepaid payment instruments will experience higher customer acquisition, retention, and loyalty, increased customer lifetime value, and long-term profitability.

 

Who can issue PPIs?

 

The following entities can issue PPIs post authorization/approval of RBI.

 

Non- Banking Entities

  • They must be incorporated in India
  • Minimum paid-up capital — more than INR 5 crores
  • Minimum positive net worth — INR 1 crore at all times

NBFCs

  • Maintain an escrow account with any scheduled commercial bank in India

Banks

  • Compliant with PPI eligibility criteria established by the RBI

 

RBI’s new addition to PPI-Small PPIs can have cash upto ₹10,000 loaded per month

The Reserve Bank of India on 27/Aug/2021 issued Master Directions on Prepaid Payment Instruments (PPIs) with the fresh classification of the instruments.

 

“Keeping in view the recent updates to PPI guidelines, it has been decided to issue the Master Directions afresh,” the RBI said.

 

 

No entity can set up and operate payment systems for PPIs without prior approval or authorization of the RBI, it stated.

 

The master directions classify PPIs into two categories – small PPIs and full KYC PPIs. They were earlier classified as closed systems, semi-closed systems, and open system PPIs.

 

“Small PPIs: Issued by banks and non-banks after obtaining minimum details of the PPI holder. They shall be used only for the purchase of goods and services. Funds transfer or cash withdrawal from such PPIs shall not be permitted,” the RBI said.

 

PPI Classification

 

Small PPIs can have cash up to ₹10,000 loaded per month, not exceeding ₹1.2 lakh in a year.

 

Full-KYC PPIs will be issued by banks and non-banks after completing the Know Your Customer (KYC) of the PPI holder.

 

“These PPIs shall be used for the purchase of goods and services, funds transfer or cash withdrawal,” it further said, adding that the amount outstanding should not exceed ₹2 lakhs at any point in time.

 

The RBI has also said that the PPI issuer shall have a board-approved policy for PPI interoperability.

 

Where PPIs are issued in the form of wallets, interoperability across PPIs should be enabled through UPI. Where PPIs are issued in the form of cards (physical or virtual), the cards should be affiliated to the authorized card networks, it said.

 

PPI for mass transit systems should remain exempted from interoperability, while Gift PPI issuers (both banks and non-banks) have the option to offer interoperability.

 

Interoperability shall be mandatory on the acceptance side as well. QR codes in all modes shall be interoperable by March 31, 2022,” it further said.

 

The RBI has also said the PPI issuer shall put in place a formal, publicly disclosed customer grievance redressal framework, including designating a nodal officer to handle customer complaints or grievances, the escalation matrix, and turn-around-times for complaint resolution.

Learn More

Everything You Need to Know About Your Card and Its Processing

It isn’t necessary to have intimate knowledge of the backend working of the back card system in order to find the best card processing system. But it’s a good idea to have a general understanding of how card processing works and the types of fees charged at various stages of the system.
This blog is on the key functionality of card processing services that will help you reach a better understanding of card processing. You’ll have in-depth details about what defines a payment solution provider, how processing works, the fees involved while doing any transaction, and the risk.

 

Actors Involved in Card Processing

 

The card processing company handles the processing and batching of purchases made with credit, debit, or gift card payments. They typically assist with technology needs and customer service, wherein they act as an intermediary between card associations and banks.

 

There are multiple stakeholders involved when a customer swipes their card at POS. The information below helps to summarize the essential roles involved in payment processing.

 

Cardholder

If you have a credit or debit card (as most of us do), you’re already familiar with the role of the cardholder. But just to give you knowledge-a cardholder is someone who obtains a card (debit or credit) from a card issuing bank which they eventually use to purchase goods or services both online or office at the store.

 

Merchant 

Technically, a merchant is any business that sells goods or services. But, only merchants that accept cards as a form of payment are pertinent to our explanation. So with that said, a merchant is any business that maintains a merchant account that enables them to accept credit or debit cards as payment from customers (cardholders) for goods or services provided.

 

Acquiring Bank (Merchant’s Bank)

An acquiring bank is often referred to as a merchant bank as they contract with merchants to create and maintain accounts that allow the business to accept credit or debit card payments. Acquiring banks provide merchants with equipment and software to accept cards and handle customer service and other necessary aspects involved in card acceptance. An acquiring bank is a registered member of the card association (Visa, RuPay, and MasterCard)

 

Issuing Bank

You have probably guessed the role of issuing banks by their name itself. The issuing bank is also a member of the card association(Visa, MasterCard, or RuPay)

 

Card Association

Visa, MasterCard, or RuPay aren’t banks and they don’t issue cards or merchant accounts. Instead, they act as a custodian and clearinghouse for their respective card brand. They also function as the governing body of financial institutions, ISOs, and MSPs that work together in association to support card processing.

 

Primarily, card associations govern the members of their association, including interchange fees and qualification guidelines, act as the arbiter between the issuing and acquiring banks among other vital functions.

 

What does card processing look like in motion?

 

Card processing basically works in conjunction with three distinct processes:

 

  • Authorization
  • Settlement
  • Funding

 

First, let’s take a look at the authorization process.

 

 

 

  • The cardholder swipes the card at the merchant POS in exchange for goods or services.
  • The merchant sends a request for payment authorization to their payment processor.
  • The payment processor submits transactions to the appropriate card association, eventually reaching the issuing bank.
  • Authorization requests are made to the issuing bank, including parameters such as CVV, expiration date, etc validation.
  • The issuing bank approves or declines the request. The transaction can be declined in case of insufficient funds.
  • The issuing bank then sends the approval (or denial) statement back along the line to the card association, merchant bank, and finally to the merchant.

That’s the card authorization process in a nutshell.

 

Now let’s take a look at the settlement and funding

 

  • Merchants send batches of authorized transactions to their payment processor.
  • The payment processor passes transaction details to the card associations that communicate the appropriate debits with the issuing bank in their network.
  • The issuing bank charges the cardholder’s account for the amount of the transactions,
  • The issuing bank then transfers the appropriate amount for the transactions to the merchant bank, minus the interchange fees.
  • The merchant bank deposits funds into the merchant account.

 

That’s the simplified card payment processing system wherein the authorization takes a matter of seconds. Settlement and funding that used to take days are now always handled overnight, helping you get your money quickly.

Learn More