## Wednesday, May 26, 2021

### Should consumers be restricted from storing their card data on the internet?

by Renuka Sane, Ajay Shah and Bhargavi Zaveri.

Over the last few months, there have been a number of cases of leaks of personal data from different service providers such as Juspay, MobiKwik, Dominos, and more recently Air India. This has led to concerns about protecting customer data, and calls for better regulation of data storage and cyber security.

One response to the problem of data breaches has been a prohibition imposed in March 2020 by the Reserve Bank of India (RBI) on payment aggregators (PA), payment gateways (PGs) and merchants from storing consumers' card data on their servers. Effectively, this means that every time a consumer uses a merchant's website, such as a food ordering or a taxi-hailing application, she will have to re-enter her 16 digit card number and other payment details to complete the transaction. This also hinders recurring payment transactions, such as subscription based services and automatic debit instructions issued using credit or debit cards.

In a new paper, we argue that a blanket prohibition on the storage of card data by consumers is problematic. We recommend less intrusive approaches to address concerns about breaches of card information stored by consumers on websites, such as better security standards, tokenisation and liability frameworks.

### Why is the current approach problematic?

The card data storage prohibition impacts every consumer who transacts on the internet. It affects every business that accepts payments using a credit card, a debit card or a prepaid instrument (PPI). We estimate that the prohibition affects a transaction value of about Rs.3 billion per month. Customers who make payments using data stored by them on the websites of their merchants, online marketplaces as well as utility bill payment services will be deprived of the ease and convenience of saving detailed information of their payment mechanism and instruments on the websites of merchants. They will now have to invest time and effort in making alternate arrangements in making payments. A few seconds of effort multiplied by millions of transactions adds up to a serious burden upon the economy. Many people will find this additional effort to be too much of a burden, and millions of transactions might be disrupted, which is also a cost to the economy.

Besides the loss to consumers, the prohibition could potentially favour certain technologies in the payments industry, such as the Unified Payments Interface (UPI) and net-banking, since the prohibition does not apply to them. It is one thing for some payment instruments to be preferred by consumers because they are seen to provide better security features (such as non-storage of details). But when state actions tilt the competitive playing field in favour of some players or technologies, or when state actions shape the design of products or processes, this raises concerns about central planning.

The RBI has not demonstrated how the potential benefits of the card data storage prohibition outweigh the costs this imposes on customers and payment intermediaries through direct channels (millions of transactions where additional seconds are spent on supplying information every month) and indirect channels (government influence upon the technological choices of society, and the costs incurred by firms in changing over from one technology to another).

Traditionally, such concerns were a part of the new field of public administration, regulators and state capacity in India, where researchers and thinkers were exhorting regulators to work in better ways and proposing modifications of laws. These concerns now connect into an emerging jurisprudence about the minimum standard of processes that regulators must rise to, before using the coercive power of the state.

The card data storage prohibition does not meet the proportionality test laid down by the Supreme Court for delegated legislation. In Internet Mobile Association of India v. Reserve Bank of India (2018), the Supreme Court struck down the RBI circular that effectively prohibited exchanges facilitating transactions in virtual assets and virtual currencies on the ground of proportionality. The RBI has not demonstrated the manner in which the card data prohibition meets the requirements of this test.

The proposal also did not undergo an open transparent public consultation process. In September 2019, the RBI had issued a Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators. Indeed, in its press release dated 17th March, 2017, issued along with the PA/PG Guidelines, the RBI explicitly stated that the said guidelines were 'based on the feedback received' on this discussion paper. However, the discussion paper did not contain its proposal to impose a complete prohibition on card data storage by merchants. On the contrary, the discussion paper proposed giving consumers a choice to save their card data on the websites of merchants, with a default setting of declining to save such data. The imposition of the card data storage prohibition, despite its exclusion in the discussion paper, is thus presented to the merchants and the consumers as a fait accompli. This violates the norms of a responsive public consultation process emphasised by the Supreme Court in Cellular Operators Association of India vs. TRAI (2016). In this case, the Supreme Court reprimanded the Telecom Regulatory Authority of India for not taking into account the arguments of telecom service providers while making a regulation imposing penalties for dropped calls. The court ultimately struck down the regulation.

The consequences of a deficient consultation process manifest themselves in the form of repeated clarifications on the scope and implementation of the data storage prohibition. As we explain in the paper, the scope and implementation of the card data storage prohibition have undergone revision twice in a span of a year. This reflects the weaknesses of RBI's consultation process conducted in 2019.

### Alternative approaches

We argue that while a payment transaction will always involve a non-zero probability of fraud and data leakage, a prohibition is not the answer to these concerns. The path to sound policy analysis involves the application of data security standards, liability frameworks and tokenisation. Data breaches are largely associated with risks that can be classified as 'operational risk'. Operational risks are best dealt with through technology design by merchants and intermediaries in the transaction cycle. PAs and PGs are already required to abide by higher data security standards, than those applicable to other firms in India. If these standards are found to be inadequate, then the RBI must demonstrate the inadequacies of these standards, instead of resorting to a prohibition. The RBI has the authority to require its regulated entities (such as PAs) to ensure that the merchants connecting to them adhere to higher standards.

Similarly, the regulatory framework must incentivize an efficient and dynamic approach to risk management by firms. The rules governing the allocation of losses between various stakeholders - consumers, merchants, card (or other payment system) operators, and PAs/ PGs, shapes these incentives. The rules should be designed so that they a) minimize inconvenience to the consumer, and b) incentivise payment system operators and PAs/PGs to minimize the risk of loss of consumers' data and money. A stable loss allocation rule creates incentives for a dynamic approach by the firms, who continuously respond to emerging threats, and to the improved possibilities for fraud prevention that are made possible by technological change.

Another way to implement better security is through tokenisation, where the card account number is masked by a single-use randomised number (or character) of the same length. With tokenisation, each card number is now represented by a token. The original number need not be stored in the databases of merchants, PAs or PGs. In January 2019, the RBI permitted card networks to offer tokenisation services to any third party app provider. The RBI should consider expanding the scope of the permitted tokenisation offerings, so that payment system intermediaries can make appropriate choices.

### Conclusion

This paper has engaged in a deep dive into one regulation-making project at the RBI, and argued that there were critical flaws in this work. The RBI has sought to address concerns of data security in payment systems through a regulatory strategy which assumes that it possesses deep knowledge of products, technology and consumer behaviour. Policy analysis works better under a more humble approach, where it is assumed and understood that firms and their customers understand consumer preferences and technology the best.

Regulators in India wield substantial legislative, executive and judicial powers, and a substantial literature has demonstrated the repeated failures of the work taking place in these organisations. An emerging Indian jurisprudence has started questioning the working of regulators and the checks and balances surrounding the powers of officials in regulatory agencies.  These developments require regulators to demonstrate high standards of analysis and evidence before intervening into the working of the economy.  This paper shows one example of these difficulties, and serves as an example in envisioning how better legal foundations would generate improved state capacity.

#### 1 comment:

1. While proportionality is an important concern, so should be effectiveness. Does the evidence show that the extra controls are indeed effective or likely to be? Many regulations are easily provable ineffective based on past data, or are later found ineffective but the burden continues.

Take for example the OTP requirement for all online card transactions. India is unique in requiring it, and it has been in place for decades. Yet our fraud rate is not significantly lower than other places. Indeed OTP should make card number leakages inconsequantia , but obviously not.

Security regulations are in many cases easily testable. Putting two locks in the front door is usually not particularly more effective than one lock. Yet such effectiveness research rarely takes place, or is ignored in policymaking even when available (such as in the case of password rules).

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.