Community News

Recurring Payments in India

  • 1.  Recurring Payments in India

    Posted 08-11-2021 12:52
    Edited by Lana Lee 13 days ago

    Recurring Payments in India

    Overview

    The Reserve Bank of India (RBI) has issued a directive of processing e-mandates for future recurring payment requests with the scope originally covering cards and wallets but most recently Unified Payments Interface (UPI) transactions as well.


    The details of the new requirements mean that an Additional Factor of Authentication (AFA) on the registration and first transaction (up to ₹5,000 before the next challenge), as well as a pre-debit notification 24+ hours prior to taking payment against the account. Within that notification, the user should see the amount they will be charged, the frequency of the recurring charge, and have the ability to opt out of that charge or subscription. 


    Effective Date: September 30, 2021


    In addition, India has been pushing more aggressive data localization requirements in regards to 'Payments Data' since 2018 and the RBI continues to modify these requirements. 


    Effective Date: December 31, 2021

    Impact of non-compliance

    Companies operating in INR may see higher failure rates if they do not meet the RBI's guidelines for new recurring payments come September 30, 2021.

    What to do

    We encourage all customers to speak to their gateway representatives first and foremost for guidance. The gateways will be able to help you understand your risks and the potential impacts to your business, as well as provide guidance on how to implement the necessary measures to mitigate any issues with your recurring payments.


    In addition, we also recommend that potentially impacted customers:


    • [Recurring Mandate] Ensure that users registering a new card and/or making a first payment on a subscription are able to be challenged with a form of AFA like 3DS.
    • [Recurring Mandate] Configure notifications to your consumers 24+ hours prior to their next payment that provide them information about the upcoming charge including an easily accessed option to opt out of that charge.
    • [Data Storage] If applicable with the gateway's feedback, migrate any new and existing Indian card payment methods to a tokenized form. If your gateway does not support tokenization, you may want to consider one that does. There is no form of grandfathering for existing cards on file for this directive so all existing payment methods must be tokenized with the gateway if they do not provide an alternative. 

    Who are we supporting in India?


    Gateway 

    INR Recurring Processing

    INR One-Time Processing

    Non-INR One-Time Processing

    Non-INR Recurring Processing

    Stripe v2

    YES

    YES

    YES

    This is currently blocked indefinitely

    Cybersource v2

    NO

    One-Time Payment - ETA Jan 2022

    One-Time Payment - ETA Jan 2022

    This is currently blocked indefinitely

    Adyen v2

    NO

    One-Time Payment - ETA TBD

    One-Time Payment - ETA TBD

    This is currently blocked indefinitely

    Chase Paymentech Orbital

    NO

    One-Time Payment - ETA TBD

    One-Time Payment - ETA TBD

    This is currently blocked indefinitely

    Braintree

    Not-Possible per Gateway

    Not-Possible per Gateway

    One-Time Payment - ETA Jan 2022

    This is currently blocked indefinitely


    To process recurring payments in India, you must present transactions in Indian Rupees (INR). The most common way to do this is to run your transactions through a local, Indian entity. If you do not have one and cannot consider one, you may reach out to your gateway provider to see if they allow presenting transactions in INR and settling in another currency. 


    NOTE: This is not common and may not be possible with your gateway. If it is possible, it likely comes with heavy fees.


    If you cannot present in INR, your only option is to present in a foreign currency and perform a form of one-time payment in which the end user is brought online to make the payment. Zuora will be providing modifications to our existing Hosted Payment Page (HPM) to support the creation of an authorization that needs to be captured separately. We will update our documentation as those changes are released.


    If Zuora’s one time payments do not meet your needs, your current Payment Gateway provider is another option. Most gateways should provide a way for payments to be processed through a hosted solution of their own that can then be pushed into Zuora as external payments. 


    Zuora is currently only reviewing the gateways in the table above due to current volume and uncertainty with the regulations. 


    Ultimately, Zuora recommends our customers implement one-time payments if they have not already done so. Although this is a disruptive customer experience, it ensures the highest likelihood of collecting payments. Per this, Zuora also recommends customers explore annual subscriptions or multi-month subscriptions plans to mitigate the frequency of users needing to come back on-session. 


    What if my gateway’s not listed?


    You can implement either of the following solutions:


    A Pay-by-Links solution offered by our gateway partners.

    Implement a one-time payment flow using the gateway’s hosted page or checkout solution and add the 

    What is Zuora’s longer term strategy?

    Zuora is continuing to evaluate other partners for recurring mandate processing based on their readiness and benefits to our mutual customers. We do not have a committed delivery or ETA at this time.

    Processing payments after December 31, 2021 (Data Localization & Tokenization)

    Overview

    As mentioned above, the Reserve Bank of India (RBI) has issued a directive aimed at removing the concept of ‘Card-on-File’ for all parties except for issuing banks and card networks when transacting locally in India. This has been in effect for some time, but not enforced. That is changing at the end of this year. 

    This means that once enforced, Zuora, its payment gateway partners, and our mutual customers are unable to store Indian cardholder data following the enforcement date. The only means of transacting with Indian issued cards will be through a form of tokenization known as scheme or network tokens. These are tokens that are issued directly by the networks themselves instead of by Zuora or its gateway partners.


    In addition, there is a directive stating that all local processing must ensure that the data used as part of the transaction process must stay within Indian data centers. Since Zuora is not considered a Payment Aggregator, we are out of scope of this regulation. 


    Effective date: December 31, 2021

    Impact of non-compliance

    Companies operating locally in India may be fined or banned from operating in India if they do not meet the RBI's guidelines for payment method storage after December 31, 2021.

    What to do

    As we have already stated, we encourage all customers to speak to their gateway representatives for guidance. The gateways will be able to help you understand your risks, their solutions, and the potential impacts to your business, as well as provide guidance on how to implement the necessary measures to mitigate any issues with your payment processing. 


    As a mitigation strategy, Zuora will continue to recommend implementing some form of a one-time payment flow in which the user is brought back on-session to complete the transaction while the recurring mandates framework’s adoption increases over time and the regulations associated may be amended as well. The gateways’ solutions for one-time payments, either through Pay-By-Links, a one-time checkout flow, or some other means will likely be implemented faster than Zuora as we are currently working on addressing these requirements but do not have firm dates for delivery as of this update.

    To better understand how your business may be impacted by this regulation, please refer to the table below.

    Gateway 

    INR Recurring Processing 

    INR One-Time Processing

    Non-INR One-Time Processing

    Non-INR Recurring Processing

    Stripe v2

    YES - token solution provided

    YES - token solution provided

    Out of scope

    This is currently blocked indefinitely

    Cybersource v2

    NO

    Do not store cards or tokens on file

    Out of scope

    This is currently blocked indefinitely

    Adyen v2

    NO

    Do not store cards or tokens on file

    Out of scope

    This is currently blocked indefinitely

    Chase Paymentech Orbital

    NO

    Do not store cards or tokens on file

    Out of scope

    This is currently blocked indefinitely

    Braintree

    Not-Possible per Gateway

    Not-Possible per Gateway

    Out of scope

    This is currently blocked indefinitely


    Non-INR, one-time processing - no action is required by Zuora or its customers as these transactions are outside of the scope of the regulations.

    INR Local processing - you must ensure that you are not storing card credentials outside of a network token, and a mandate ID if you’re on Stripe v2 processing recurring transactions, after December 31st. In the instances where you are storing card data, you will want to either scrub or delete those payment methods. For customers implementing One-Time Payments flows through Stripe, you have the option to store the token on file or not. For all other customers utilizing One-Time Payments flows, you cannot store cards or tokens on file. 

    What Zuora is doing

    Network Tokenization

    Our Stripe v2 integration supports INR and non-INR processing with its support of One-Time Payments as well as mandate creation for recurring payments. As part of this integration, we have worked in partnership with Stripe to ensure that the data stored in Zuora’s Payment Method and Payment Method Snapshot objects will be limited to the below fields to meet compliance:

    • Customer ID (representative of a network token)
    • Mandate ID
    • Mandate Status
    • Mandate Reason

    For our Cybersource v2, Adyen v2, Chase Paymentech Orbital, and Braintree integrations, Zuora will only support the generation of a One-Time Payment without the ability to generate and store a network token as storing tokens on file is not a requirement for this type of transaction.

    If you are transacting in non-INR on a gateway that is not listed above, you must implement a one-time payment strategy using your gateway’s existing tools and push those transactions into Zuora as external payments to reconcile the balances.


    ------------------------------
    Yash Mahajani
    Zuora
    ------------------------------