[niyaven]

Disclosure: I work for a fintech in India, specialized in card payment.

It seems here people see this rule as "merchants can't store card numbers any more". This is actually a lot more than that, this is the new rule: you cannot store card numbers for recurring payment. Even if you are PCI-DSS compliant. Even if you are audited by the RBI. Even if you're sponsored by a bank. The only way to store a Visa number is to use the Visa tokenization service.

Now if you know a bit of the card payment industry, you will know that you need the card number just to process the payment, the refund, etc. So you still have to store the card number. And you can. You just can't use it for recurring payment any more.

My personal take: Giving full control to Visa and Mastercard over their card numbers for recurring payment seems to be a nice transfer of power to these two giants. But the time scale has been very short (a few months only). So practically, most recurring card payments will stop working or be illegal in two weeks. This is will more or less break existing subscriptions working with cards.

India (the RBI at least) has been in a campaign for independence in the payment infrastructure. American Express[0], Diners[1], Mastercard[2] have been banned in India. Diners' ban has been lifted now, but still. Rupay is a failure with a market share of 0.34%[3] (in comparison UPI is at 37.73%), in spite of having ZERO MDR on debit transactions[4].

This change is not for the sake of security. You can have the best firewalls, cutting-edge HSM, security team and pass 12 audits a year. You will be allowed to save these card numbers but you won't be able to authorized to use it for recurring payments. This is just a move against cards, and to promote UPI instead. By making recurring card payment a hindrance, more people will transition to UPI.

[0] https://www.americanexpress.com/en-in/company/notice/rbi-imp... [1] https://www.reuters.com/article/india-banking-american-expre... [2] https://westfaironline.com/138440/mastercard-banned-from-new... [3] https://www.npci.org.in/PDF/npci/statics/RETAIL-PAYMENTS-STA... [4] https://economictimes.indiatimes.com/opinion/et-editorial/st...

[spikengineer]

I don't agree with your interpretation on this being a stealth tactic but even if this was one it's just the state institutions acting in the interest of their mandate. This might not be beneficial to you employer or Visa or MasterCard or few high flying credit card users of the super rich class but it is in the interest of the people.

If they think it's time to move beyond cards due to the strategic overdependence on foreign service providers like Visa who can disrupt the Indian financial system at the behest of their US govt or other interests it's the right thing to discourage them directly or indirectly.

Think in the interest of the people. WTO commitments are not worth the paper they are written on. State should do the right thing to benefit the people as a whole not worry about inconvenience to a few people or few middle men or foreign companies.

[niyaven]

Ah maybe my comment is not clear, I am not judging on whether this is a good/bad move for people. I wanted to explain that the card number will still be stored: it only applies to recurring payment (at least for now). So for anyone worried about entities storing the card number... this will continue.

I understand the confusion, but just to clarify I'm a big fan of UPI :).

Now, is it good move for the people? It's a complex topic, one could write a lot about it. This move will push people away from cards because card tokenization won't be supported for a while, making recurring payment harder. It's well known that very small amounts of friction can drastically reduce the conversion rate. Entering the card details every time is a hassle for sure.

So more UPI payments. But today there are no MDR for UPI transactions, meaning fintechs and banks are losing money when they process these transactions. For banks, it's supposed to be ok because a digital transaction is cheaper than a physical one. For fintechs, this is tough, you need to find money somewhere else. So less money = less incentives = less innovation. However there have been talks to put back some fees on UPI (banks are pushing a lot on this).

On the other hand, more card payments = higher MDRs. So merchants or customers, or both, will pay more to process the transactions. Banks and fintech get more money. But with a lack of competition, because of the current duopoly (Visa/Mastercard), and the difficulty to enter the market due to strict regulation, innovation is far from its peak. Just by looking at how long 3DS2 takes to roll out you can see that there is a lot inertia.

It's not black and white, as often. Personally I think UPI is a better direction. The only downside is that's it is only for domestic payment. I'd love to see an EU initiative as successful as UPI: instant payment could be the EU equivalent but the fees are crazily high in some countries.

[spikengineer]

MDR problem can be solved as you indicated. It also needs a solution pretty soon too.

EU and developed countries' banks live and finance their profits on fees as they don't make much or any money on loans and other traditional financial tools. Those fees aren't going to go away.

[kranner]

> If they think it's time to move beyond cards due to the strategic overdependence on foreign service providers like Visa who can disrupt the Indian financial system at the behest of their US govt

Is there any evidence that the RBI actually thinks this? You seemingly criticise GP on their inference of an ulterior motive but then posit your own ulterior motive.

[spikengineer]

Yes, some basis exists for such assumptions. RuPay and UPI were originally conceptualised by RBI and Govt of India to solve the overdependence problem. Otherwise RBI and GoI had no reason to introduce RuPay and they could have let the market develop organically.

Recent RBI moves of data localisation and enforcement actions against Diners, American Express and Mastercard also indicate strong intent.

[kranner]

I'm talking about your statement of "disrupt[ing] the Indian financial system at the behest of their US govt".

It's a pretty strong claim. If you have any evidence for this, please share it here.

[spikengineer]

It's a potential situation India is always worried about from a strategic aspect. India is neither strategically aligned to the US nor against it. Historically US strongly supported India's enemies and actively worked against India's interests all the way from 1945 to mid-2000's. US under various administration even threatened attack or sanctions when things don't go their way.

Current day:

Right now in 2021, US is threatening sanctions under a US law called CAATSA just because India bought a few missiles from Russia which is a long standing defence supplier to India. I know that CAATSA is forced on Biden and Trump by US Congress but it doesn't matter to India whether the US executive is doing it intentionally or not, the US state is threatening sanctions over CAATSA. In this era, when India is actively fighting/hindering Chinese agression on it's borders and taking actual casualties where acting against China is also in US interests, US threatens economic sanctions against Indian institutions and companies just because they bought a few surface to air missiles which they think are the most economical option to deter Chinese attack.

US Treasury calls India a currency manipulator and threatens to cutoff India from the USD financial system (as per US appropriation acts enacted to target China) although economists call such a designation as stupid when used against low per capita income developing countries with a current account deficit just because India tries to prevent an exchange rate blowout that could lead to many millions of Indians falling below the poverty line or losing line of income.

Historical:

In 1999, Clinton threatened to summarily sanction India on all fronts including financial when India threatened to go beyond the de-facto border to restrain Pakistan forces after they occupied Indian territory in Kargil. This threat repeated in 2002 after they supported the Pakistani position after Pakistan sponsored terrorists attacked the Indian parliament and India threatened to retaliate against Pakistan.

Every time Pakistan does something stupid against India, US intervenes and threatens to sanction India under the vacuous argument that they want to prevent a "nuclear armageddon". It's not in india's interests to succumb to such threats when they aren't the source of the problem.

In 1998, when India tested it's nukes for the 2nd time, Clinton placed a breadth of sanctions on India because US doesn't like nuclear proliferation although India had nukes sinces 1974 and everyone knew pak had since the mid-1980's and US turned a blind eye although it knew that China, Pak and North Korea are working together on them. US wants so called strategic balance between India and Pakistan and actively supports Pakistan on many issues. This prevents India from deterring China as it has spend resources countering Pakistan which itself is propped up by US Military and economic aid.

In 1971, Nixon threatened to nuke India if India doesn't withdraw from current day Bangladesh when India intervened to stop a Pakistan Army led genocide and the resulting refugee crisis. Nixon didn't follow through because India convinced USSR to provide a similar counter threat.

What happens to an economy if 100% of retail electronic transactions stop overnight?

It is not in India's sovereign interest to let foreign companies control any significant chunk of the financial sector and it's especially not acceptable if they are US companies because US frequently uses this leverage of threat of sanctions to get it's way against Indian ineterests.

[unmole]

> Rupay is a failure with a market share of 0.34%[3] (in comparison UPI is at 37.73%), in spite of having ZERO MDR on debit transactions[4].

Rupay's failure is because of zero MDR, not in spite of it.

[naruvimama]

I believe merchants are not allowed to charge extra for visa or mastercard, but there is a hefty commission payed to them.

They then use this to attracts customers and/or banks to sign up. Rupay customers end up paying part of the hefty commissions (albeit indirectly) that Visa charges the merchants and the Visa customers get discounts, cash backs and offers.

A payment network is just a payment network, they shouldn't be using their market dominance to run marketing schemes.

[niyaven]

> I believe merchants are not allowed to charge extra for visa or mastercard, but there is a hefty commission payed to them. This is not the case in India but is the case in other markets, yes. The IRCTC (national railway company) is for instance displaying it and the customer has to pay fees depending on the selected payment option. Some actors even hide this amount until you reach the page asking you for an OTP! I don't think it's necessarily done with malicious intent, but it exists.

Sometime you won't see Visa or Mastercard but instead "Debit Card" and "Credit Card" vs "Rupay" for instance.

[naruvimama]

But IRCTC is a behemoth (though it is publicly listed).

We are talking about smaller merchants, would they be able to get away with the same?

[rowls66]

What you are saying does not align with the text of the directive. It clearly says that card numbers cannot be stored for any purpose. Quoting from the directive:

With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.