Reserve Bank of India’s New Card Tokenization Rules

Reserve Bank of India’s New Card Tokenization Rules

When scammers obtain access to another person’s payment information, bad things occur. Credit card numbers can be hidden by being transformed into arbitrary codes that are ineffective when used outside of their original context.

Tokenization is a procedure that has become necessary for Indian businesses who want to be able to store the payment information of their clients as a result of new regulations established by the Reserve Bank of India. What are the new RBI card tokenization regulations, and how can Indian retailers make sure they are following them?

Also Read:- How To Make An International Money Transfer

Due to their simplicity and convenience, credit cards are great for online shopping. The merchant can complete a transaction as long as the customer can supply a card number and a few other pieces of information.

The problem is that because the process is so straightforward, scammers can easily take advantage of it. Fraudsters can obtain payment credentials from other cybercriminals on the dark web, hack into merchant systems, or spy on network data.

Real credit card numbers can be protected from fraudsters with the help of tokenization, which has shown to be a very effective technique.

The EMV chip, which tokenized credit card numbers before they are transferred to the payment terminal, has considerably decreased fraud in card-present scenarios. Instead of delivering actual payment credentials to websites and contactless terminals, digital wallets like Apple Pay employ tokenization. Tokenization is being utilized more frequently online to protect checkout procedures and client data that is kept.

When it comes to credit card data handling, the Reserve Bank of India has made tokenization necessary for merchants, acquiring banks, payment aggregators, gateways, and other service providers. Merchants must stop holding any client payment credentials that have not been tokenized once this rule takes effect.

Which Rules Apply to the New RBI Card Tokenization?

As of October 1, 2022, only issuing banks and card networks are permitted to hold the payment credentials for credit cards that are handled by RBI-licensed payment service providers and issued by Indian banks. Raw card numbers cannot longer be stored by merchants.

Recently, the RBI issued a variety of new credit card regulations, including new requirements for subscription-based recurring payments. Only businesses based in India are subject to these regulations. International retailers who do not use Indian payment processors are exempt from these requirements.

The Guidelines Outline The Tokenization Process:

  1. The credit card, the retailer, and the entity seeking the token should all be included in the token’s scope (such as a payment processor).
  2. The client must expressly consent and authenticate using multiple factors before card data is subjected to tokenization.
  3. Wherever the merchant or payment processor is storing the tokenized card information, the consumer should have the choice to erase it at any time.
  4. Only the issuing bank, card network, and the final four digits of each tokenized card should be visible to the merchant.

Token storage is permitted for merchants, but only if they are PCI DSS compliant. For merchants who haven’t yet satisfied this condition, merchant service providers could be able to hold tokens on their behalf.

The deadline for purchasing banks has been extended, and they can now keep card information on file until January 2023. The customer does not need to register for an account on the merchant’s website in order to make a purchase using the guest checkout option. Merchants and their payment service providers may keep card information on file for up to four days or until the transaction settles, whichever comes first, to enable settlement and post-transaction operations.

Why are card tokens so secure, exactly?

Cards that have been tokenized can only be used by a certain customer and retailer. The token cannot be used to start a transaction if the circumstances under which it was requested change in any way.

When a fraudster obtains a standard credit card number from, say, an unsecured WiFi network, they can attempt to use it anywhere, and businesses with lax fraud prevention measures will accept it. The tokenized card data is useless to fraudsters once they have it.

The token itself is essentially a random string of letters and numbers, so no customer-facing checkout system will recognise it as acceptable payment information—aside from the fact that it cannot be used with another merchant.

Do retailers need to accept card tokenization?

This isn’t really a question for merchants in India because failure to comply could result in penalties including limitations on your ability to conduct business.

Tokenization may not be required, but it may be an alternative in other areas. As a fraud prevention measure, it should be seriously considered by retailers, especially if it can be put into place affordably and with little impact on the consumer experience.

There are three different chargeback classifications, and many companies find that the most difficult to handle is real fraud.

Tokenization functions something like a vaccine that provides merchants with some form of herd immunity. It won’t stop fraudsters from approaching you with credentials they stole from somewhere else, but if enough merchants use countermeasures like tokenization, it makes things much more difficult for fraudsters in general.


Governments and regulatory bodies from all around the world are taking action to safeguard consumer data and lessen the risk of fraud. It might be challenging for retailers to stay on top of new regulations and adhere to them on schedule, but it’s crucial to do so. These regulations are frequently truly successful at lowering fraud and assisting merchants, aside from the fact that disobeying them might result in expensive penalties.


Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons
error: Content is protected !!