Also in this letter:
■ Banks ask customers to tokenise credit cards by June 30
■ Tech policy groups push back against new cybersecurity rules
■ Postman to bring Aadhaar services to your doorstep
Scoop: UPI market cap rules may be put off; banks tell customers to tokenise cards
The NPCI may postpone the implementation of its contentious rules, which would bar any single UPI app from having a market share of more than 30%, to January 2025, sources told us.
In a recent letter to the Reserve Bank of India, the nodal agency suggested that leading UPI apps be given two more years to bring their market share below 30%, one of the sources said.
Why? “There is no choice but to consider this actively. They (NPCI) are wary of disrupting users and slowing down UPI growth,” said a person aware of the discussions.
PhonePe and Google Pay, which have long dominated UPI, had a market share of 47% and 34% respectively as of April. “New entrants like WhatsApp Pay are yet to make a significant dent in the market in terms,” said a person aware of the discussions.
Meta-owned WhatsApp Pay, which has now been allowed to scale its user base to 100 million consumers, clocked a mere 2.5 million transactions in April, compared to PhonePe’s 2.6 billion.
Pushback: NPCI’s mandate has seen a concerted pushback from many UPI apps, including PhonePe and Google Pay, with the two other major players – Paytm and Amazon Pay — yet to break their dominance.
Sources told us that at least one of the biggest UPI apps has told its key stakeholders that the market cap mandate is unlikely to be implemented in 2022, and that it is therefore not slowing down on plans to expand its user base.
PhonePe cofounder and CEO Sameer Nigam has previously said that capping UPI market share was not a good idea. He told us in September 2021 that he was not worried about cutting back market share. “If I am playing by all the rules of interoperability, there is scant little I can do to reduce market share. I would like to believe that this is now user preference starting to play out based on success rate (of transactions) and acceptance.” Google Pay had also expressed apprehensions about the cap.
Genesis: In November 2020, NPCI first officially announced that it would impose a cap of 30% on transaction volumes clocked by a single player from 2021. Companies would have two years from January 2021 to comply with the cap in phases, it said.
By March 2021, NPCI set out operational guidelines for companies to limit their UPI market share. It said market share would be calculated based on the total number of UPI transactions processed during the preceding three months, on a rolling basis.
Banks start asking customers to tokenise credit cards by June 30
Indian banks and merchants have started asking customers to tokenise their credit and debit cards before the June 30 deadline set by the regulator, according to communication seen by ET.
But several merchants remain worried about the readiness of the ecosystem to handle transaction and tokenisation volumes, and avoid disruptions for consumers.
What is tokenisation? It’s a process by which card details are replaced by a unique code or token, allowing online purchases to go through without exposing sensitive details. As per the Reserve Bank of India’s latest diktat, all merchants must delete customer debit and credit card data on or before June 30 and replace card payments with unique tokens for all online, point-of-sale and in-app transactions.
The RBI in March 2020 had said that payment aggregators and merchants onboarded by them would be prohibited from storing card details of customers to improve data privacy and avoid frauds in online transactions. That was supposed to come into effect from June 2021. After multiple deadline extensions, a new implementation date on June 30 has been set.
State of play: Indian banks and payment networks such as Visa, Mastercard and RuPay claim to be ready with their tokenisation solutions, large merchants continue to be unsure about the scalability of the payments network for tokenisation, and the readiness of entire ecosystem as they fear disruptions in payment experiences of consumers.
So far, large merchants including Uber, Swiggy and MakeMyTrip have gone live, and are allowing customers to tokenise their cards. Flipkart, Amazon, Myntra, Nykaa and GoIbibo among others are in the final stages of integration and expected to start the process of tokenising consumer cards in the coming weeks.
But a MakeMyTrip spokesperson told us, “While we are committed to making the process seamless, we expect challenges with respect to the ecosystem readiness for use cases such as processing of EMIs or card-based offers. This may impact customer experience till all use cases are solved,”
Concerns: The payment industry, including merchants, have been making closed-door representations to the Reserve Bank of India, relaying their concerns about payment use cases such as guest checkouts and recurring payments, including equated monthly instalments, which have still not found implementation in the tokenisation solutions offered at present.
Tech policy groups push back against new cybersecurity rules
Several tech policy groups have hit back against the Indian Computer Emergency Response Team’s (Cert-In) new cybersecurity directives.
VPN rules ‘threaten privacy’: The US India Business Council, the Cybersecurity Coalition, the US Chamber of Commerce, the Bank Policy Institute, the Internet and Mobile Association of India, AccessNow, SFLC.in and others have written to the Ministry of Electronics and Information Technology and Cert-In, saying the new guidelines for VPN providers such as retaining customer details for five years would “put people’s privacy at risk”.
“They expand the scope of mass surveillance, contravene globally recognised principles of necessity and proportionality, and data minimisation, and ultimately weaken cybersecurity. They effectively create new cybersecurity vulnerabilities in the form of databases of retained data that can be exploited by malicious actors,” AccessNow said in its June 1 letter to Cert-In.
Also Read | ETtech Explainer: What India’s new VPN rules mean for your privacy
Six-hour rule ‘undermines response’: The rule that requires entities to report cybersecurity incidents within six hours of becoming aware of them could potentially “undermine incident investigation and response, including the deployment of defensive measures”, software policy group BSA said. It also said the rules lacked clarity on what constitutes a severe or large-scale cyber incident.
Backstory: On April 28, Cert-In came out with a set of guidelines for all companies, intermediaries, data centres and government organisations, which said that any data breach must be reported to the government within six hours of the organisation becoming aware of it.
The new rules also require VPN service providers to store information they gather from customers under know-your-customer (KYC) norms for five years and hand it over to the government when asked to.
Also Read | VPNs: Why they matter and what’s changing
Postman to bring Aadhaar services to your doorstep
Apart from delivering your speed-post, the humble postman will soon deliver a key service at your doorstep – Aadhaar.
Driving the news: The Unique Identification Authority of India (UIDAI) is training 48,000 postmen of India Post Payment Bank to go door to door in the remotest parts of the country and link Aadhaar number with mobile numbers, update details, and conduct enrolment of children at the doorstep.
In the second part of the plan, all 150,000 postal officers will be covered, a senior government official said.
The training is being provided as a part of UIDAI’s expansion plans aimed at reaching out to more people and enrolling as many citizens as possible, the official told us.
To ensure smooth rollout of the plan, UIDAI will provide postmen with the necessary digital gear such as a desktop or laptop-based Aadhar kit to update the necessary details of Aadhar card holders, the official said.
Other Top Stories By Our Reporters
SaaS firms on overseas listing freeze: The government’s decision to freeze a plan to allow Indian startups to tap the overseas markets reflects the lack of a long-term view towards wealth creation, founders of Software as a Service (SaaS) platforms said.
Winzo drags Mobile Premier League to court: Online gaming and entertainment platform Winzo has sued Mobile Premier (MPL) for alleged copyright infringement related to its online gaming format ‘World War’.
TikTok parent exits VerSe at 56% discount: TikTok owner ByteDance has fully exited VerSe Innovations, the parent entity of local language news aggregator Dailyhunt and short-video app Josh, at a 56% discount, the latest regulatory filings accessed by ET showed.
Instagram launches ‘1 Minus Music’: Instagram has launched a new music property called ‘1 Minute Music,’ which is a set of music tracks and videos, exclusively available on its platform, for use in Reels and Stories. It will include music from 200 artists from across India.
Global Picks We Are Reading
■ Inside the risky world of “Migrant TikTok” (Rest Of World)
■ Elon Musk’s bot problem on Twitter is extraordinary (WSJ)
■ Satellites and AI Can help solve big problems — if given the chance (Wired.com)