Facing Reserve Bank of India Payment Regulations? Skyflow Has Solutions

If your company deals with customer data — personal information, credit or debit card details, and so on — you know that you have an enormous responsibility to your users. Beyond the usual concerns around security breaches and the increasing customer expectations of privacy, new regulations from the Reserve Bank of India (RBI) are forcing companies to reevaluate how they handle their customer data.

In March of 2020, the RBI announced new regulations for payment aggregators (PAs) and payment gateways (PGs, or merchants) who store payment card data in India. The regulations, which will go into effect at the end of 2021, will allow only authorized card networks to store credit card numbers. PAs and PGs working in India are racing to come up with solutions to the new regulation, which is set to disrupt the way automated payments are processed. This is the latest development in a global trend in digital regulation aimed at reducing the risk of payment card data breaches, a trend that is forcing companies to radically rethink their data security strategy. 

You can’t just build your own security solution to comply with RBI payment card regulations — you must use the network tokenization service provided by the card networks. This works as follows: when a user registers a payment card number, it’s replaced by a token provided by the card network. This token is valid only for a limited use — at this specific merchant, or only for contactless payment, or some combination. Specifically, the card number isn’t stored on the user’s device, in the merchant’s database, or with the payment aggregator. To process payments, a token is passed to the card network, which detokenizes and replaces it with the PAN (or card number) and passes it to the issuer. This way, the customer’s payment card is used securely, with much lower risk of it being compromised in the event of a data breach at the merchant or PA.

What Problems Do the New RBI Payment Card Regulations Solve?

PAs and PGs store payment card data because it allows them to rapidly process and automate card payments. However, payment card data is a popular target for hackers because it can be used to make fraudulent purchases or sold to third parties. The goal of the new regulations is to eliminate this risk and ensure that hackers can never access a data store containing large amounts of payment card data.

What Challenges Do the New RBI Payment Card Regulations Introduce?

When the new regulations go into effect, merchants and PAs without a tokenization solution will have to ask their customers for payment card data every time they process a transaction, slowing down the payment process and adding inconvenience for anyone using their system. Much like paying for something at a brick and mortar business with a point of sale system, card holders will have to verify their card data every time they make a purchase.

You can comply with the new payment card data regulations while still allowing automated payments by using tokens as substitutes for payment data. Rather than storing payment card data yourself, you can store a token which is used to process payments. You never have direct access to the payment card data, keeping you in compliance while avoiding the need to repeatedly ask your users for card information.

Skyflow's Turn-key Tokenization Solution for Payment Card Data

Despite network tokenization being one of the most effective ways to comply with the RBI legislation, many merchants and PAs will be hard-pressed to make the extensive infrastructure changes necessary to handle tokens before the late 2021 deadline. 

Even after these changes, companies will find that they still handle other sensitive user data which also raises security and compliance concerns. Instead of making all these changes to meet just one goal, you can implement a comprehensive solution by using Skyflow Fintech Data Privacy Vault, which includes a robust tokenization tool. To learn more about how tokenization works at Skyflow, take a look at our documentation.

The Fintech Vault seamlessly integrates with card networks to provide a compliant, secure, and convenient system to meet all of your goals. Built using Amazon Web Services and available in the AWS India region, the Fintech Vault lets you meet the RBI’s payment card deadline without inconveniencing your customers. And because it runs on AWS India, Skyflow is also a great way to meet data residency requirements.

How it Works

A basic (insecure) workflow for payment card processing would look like this:

Here, a user enters their personal and financial details in a merchant’s app or website, which stores those details in the merchant’s database. During payment, this information is transmitted to the PA or PG, which sends it to the card network and the card issuer.

The RBI mandate requires instead that the user’s payment card information is stored in a vault and replaced by a token, like this:

While this is a big improvement over the basic implementation, you can see that the merchant is still holding other sensitive user information. This information is useful for many reasons, which is why businesses collect it. However, for about the same complexity a business can extend the same principle of tokenization to all sensitive user data by using a Skyflow vault, like this:

In this case, all of your customer data is tokenized directly from the merchant’s app:

• The credit card details are replaced by a network token, acquired from and used by the card network.
  

• Other sensitive user details are tokenized directly by Skyflow. You can use these tokens for other workflows, such as performing a KYC check to validate customers, emailing promotional items, shipping purchases, and so on.
  

Compliance with the RBI payment card mandate requires sophisticated solutions, because point-fix solutions are too burdensome in a world of ever-evolving data privacy regulation. By using Skyflow Fintech Data Privacy Vault, you can not only meet the network tokenization requirements of the RBI mandate but also solve related issues of customer data privacy and data residency.

To learn more about how Skyflow Data Privacy Vault can help you, please get in touch with us.