RBI is implementing Card Tokenisation norms which will come into effect from 1st October, 2022. These new rules will change the way debit and credit card details are stored by online merchants.



  • Payment aggregators are finally prepared for the October 1 rollout of RBI’s card-tokenisation norms.
  • The deadline for implementation of tokenisation, which aims to upgrade data security, was extended for the third time in June, 2022 as the payments industry had asked for more time to avoid disruptions.
  • The extension from the RBI has also allowed for more awareness among customers.
  • For tokenisation, companies have to tie up with payment service providers and set up systems to charge customers’ cards without having to store the information on their servers.
    • Razorpay, PhonePe, Worldline provide the bridge for these services between banks and merchants.
  • From October 1, spends on platforms like e-commerce, food delivery and streaming services will be processed through tokenisation as against the ‘card on-file’ system, where merchants stored details like card number and expiry date on their servers.


What is tokenisation?

  • It refers to replacement of card details with an alternative code called a token’, which is unique for a combination of card, token requestor (the entity that accepts a request from the customer for tokenisation of a card and passes it on to the card network to issue a token) and the device.
  • It reduces the chances of fraud arising from sharing card details. The token is used to perform contactless card transactions at point-of-sale (PoS) terminals and QR code payments.


How does tokenisation work?

  • The cardholder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.
  • The tokens are generated by companies like Visa and MasterCard, which act like Token Service Providers (TSPs), and they provide the tokens to mobile payment or e-commerce platforms so that they can be used during transactions instead of the customer’s credit card details.


What happens after tokenisation?

  • According to the RBI, for transaction tracking and reconciliation, entities can store limited data — last four digits of actual card number and card issuers name — in compliance with applicable standards.
  • Actual card data, token and other relevant details are stored in a secure mode by authorised card networks. The token requestor cannot store the card number, or any other card detail.
  • Card networks are also mandated to get the token requestor certified for security conforming to international best practices / globally accepted standards.
  • A customer can choose whether or not to let his or her card tokenised. Besides, the card issuer should also give the cardholder the facility to view the list of merchants for whom he or she has opted for CoF transactions, and to de-register any such token.