Several leading consumer internet companies such as Flipkart, Amazon, Netflix, Microsoft and Zomato have written to the Reserve Bank of India (RBI), asking that they be allowed to store card data of customers even after the new guidelines for payment aggregator and payments gateways kick in from July this year, which will forbid merchants from storing card data.

These companies sent out a letter to the RBI on February 1, a copy of which CNBC-TV18 has seen.

The companies have cited a big impact on customer payment experience on their platforms if they are not exempted.

Usually, a lot of consumers store their card data on platforms such as Amazon, Flipkart or Netflix so that they do not have to enter the details every time they transact. But that will change with the new rules.

Single-click payments and customised checkouts will be impacted and consumers will have to enter card details for every transaction. Recurring payments for subscription-based services will be impacted as platforms such as Netflix will now have to ask consumers for card information for each billing cycle and will not be able to automatically renew services.

Standing instructions and e-mandates where a users automates payments at fixed intervals to another entity will be impacted.

The guidelines for payment aggregators and payment gateways were issued on March 17, 2020, and among many new rules, they state that a ‘merchant site shall not save customer card and such related data'. These rules will apply to merchants and even to payment aggregators starting July 2021.

CNBC-TV18 has learned that the Payments Council of India had also made a similar case for payment aggregators to allow them to store card data, but sources said the RBI had rejected any such exemption. The recent Juspay data breach, in which 3.5 crore records with masked card data were breached, has also spooked authorities.

The ecommerce companies argue that they are PCI DSS Level 1 certified merchants and hence, should be allowed to store card data.

PCI DSS is Payment Card Industry Data Security Standard, which is an industry standard for best practices when it comes to secure storage of card details.

PCI DSS Level 1 certification applies to merchants processing over 6 million credit/debit card transactions annually, and the certification entails card data is encrypted. There are 12 different security enquire nets for such a certification. These Consumer internet companies are also seeking a meeting with the RBI to present their case.

The crucial point being put forth by the consumer internet players is the impact on consumers when it comes to the payment experience on their platforms.

Apart from the customer experience, the companies have also told the RBI that there could also be an impact on fraud risk assessment, because it could prevent merchants from using any internal tokenisation methods to protect card data.

There could also be a slow down of resolution of customer disputes if the merchant does not have the card data, the companies said.

None of the companies cited, or the RBI, responded to CNBC-TV18's queries.

(Edited by : Jomy)

First Published:Feb 12, 2021 8:31 PM IST