Recurring Payments in IndiaUPDATE 12/23/2021The RBI has further delayed enforcement of the Card Tokenization regulation from December 31, 2021 to June 30, 2022.Overview
The Reserve Bank of India (RBI) has issued a directive of processing e-mandates for future recurring payment requests with the scope originally covering cards and wallets but most recently Unified Payments Interface (UPI) transactions as well.
The details of the new requirements mean that an Additional Factor of Authentication (AFA) on the registration and first transaction (up to ₹5,000 before the next challenge), as well as a pre-debit notification 24+ hours prior to taking payment against the account. Within that notification, the user should see the amount they will be charged, the frequency of the recurring charge, and have the ability to opt out of that charge or subscription.
Effective Date: September 30, 2021
In addition, India has been pushing more aggressive data localization requirements in regards to 'Payments Data' since 2018 and the RBI continues to modify these requirements.
Effective Date: December 31, 2021
Companies operating in INR may see higher failure rates if they do not meet the RBI's guidelines for new recurring payments come September 30, 2021.
We encourage all customers to speak to their gateway representatives first and foremost for guidance. The gateways will be able to help you understand your risks and the potential impacts to your business, as well as provide guidance on how to implement the necessary measures to mitigate any issues with your recurring payments.
In addition, we also recommend that potentially impacted customers:
INR Recurring Processing
INR One-Time Processing
Non-INR One-Time Processing
Non-INR Recurring Processing
This is currently blocked indefinitely
One-Time Payment - ETA Jan 2022
One-Time Payment - ETA TBD
Chase Paymentech Orbital
Not-Possible per Gateway
To process recurring payments in India, you must present transactions in Indian Rupees (INR). The most common way to do this is to run your transactions through a local, Indian entity. If you do not have one and cannot consider one, you may reach out to your gateway provider to see if they allow presenting transactions in INR and settling in another currency.
NOTE: This is not common and may not be possible with your gateway. If it is possible, it likely comes with heavy fees.
If you cannot present in INR, your only option is to present in a foreign currency and perform a form of one-time payment in which the end user is brought online to make the payment. Zuora will be providing modifications to our existing Hosted Payment Page (HPM) to support the creation of an authorization that needs to be captured separately. We will update our documentation as those changes are released.
If Zuora’s one time payments do not meet your needs, your current Payment Gateway provider is another option. Most gateways should provide a way for payments to be processed through a hosted solution of their own that can then be pushed into Zuora as external payments.
Zuora is currently only reviewing the gateways in the table above due to current volume and uncertainty with the regulations.
Ultimately, Zuora recommends our customers implement one-time payments if they have not already done so. Although this is a disruptive customer experience, it ensures the highest likelihood of collecting payments. Per this, Zuora also recommends customers explore annual subscriptions or multi-month subscriptions plans to mitigate the frequency of users needing to come back on-session.
You can implement either of the following solutions:
A Pay-by-Links solution offered by our gateway partners.
Implement a one-time payment flow using the gateway’s hosted page or checkout solution and add the
Zuora is continuing to evaluate other partners for recurring mandate processing based on their readiness and benefits to our mutual customers. We do not have a committed delivery or ETA at this time.
As mentioned above, the Reserve Bank of India (RBI) has issued a directive aimed at removing the concept of ‘Card-on-File’ for all parties except for issuing banks and card networks when transacting locally in India. This has been in effect for some time, but not enforced. That is changing at the end of this year.
This means that once enforced, Zuora, its payment gateway partners, and our mutual customers are unable to store Indian cardholder data following the enforcement date. The only means of transacting with Indian issued cards will be through a form of tokenization known as scheme or network tokens. These are tokens that are issued directly by the networks themselves instead of by Zuora or its gateway partners.
In addition, there is a directive stating that all local processing must ensure that the data used as part of the transaction process must stay within Indian data centers. Since Zuora is not considered a Payment Aggregator, we are out of scope of this regulation.
Effective date: December 31, 2021
Companies operating locally in India may be fined or banned from operating in India if they do not meet the RBI's guidelines for payment method storage after December 31, 2021.
As we have already stated, we encourage all customers to speak to their gateway representatives for guidance. The gateways will be able to help you understand your risks, their solutions, and the potential impacts to your business, as well as provide guidance on how to implement the necessary measures to mitigate any issues with your payment processing.
As a mitigation strategy, Zuora will continue to recommend implementing some form of a one-time payment flow in which the user is brought back on-session to complete the transaction while the recurring mandates framework’s adoption increases over time and the regulations associated may be amended as well. The gateways’ solutions for one-time payments, either through Pay-By-Links, a one-time checkout flow, or some other means will likely be implemented faster than Zuora as we are currently working on addressing these requirements but do not have firm dates for delivery as of this update.
To better understand how your business may be impacted by this regulation, please refer to the table below.
INR Recurring Processing
YES - token solution provided
Out of scope
Do not store cards or tokens on file
Non-INR, one-time processing - no action is required by Zuora or its customers as these transactions are outside of the scope of the regulations.
INR Local processing - you must ensure that you are not storing card credentials outside of a network token, and a mandate ID if you’re on Stripe v2 processing recurring transactions, after December 31st. In the instances where you are storing card data, you will want to either scrub or delete those payment methods. For customers implementing One-Time Payments flows through Stripe, you have the option to store the token on file or not. For all other customers utilizing One-Time Payments flows, you cannot store cards or tokens on file.
Our Stripe v2 integration supports INR and non-INR processing with its support of One-Time Payments as well as mandate creation for recurring payments. As part of this integration, we have worked in partnership with Stripe to ensure that the data stored in Zuora’s Payment Method and Payment Method Snapshot objects will be limited to the below fields to meet compliance:
For our Cybersource v2, Adyen v2, Chase Paymentech Orbital, and Braintree integrations, Zuora will only support the generation of a One-Time Payment without the ability to generate and store a network token as storing tokens on file is not a requirement for this type of transaction.
If you are transacting in non-INR on a gateway that is not listed above, you must implement a one-time payment strategy using your gateway’s existing tools and push those transactions into Zuora as external payments to reconcile the balances.