• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

RBI Allows Tokenisation Of Cards To Prevent Financial Frauds

The merchants will not be allowed to store customer’s card details from January 1, 2022. Instead, a token requestor will provide the customers with the ‘token’ for making online payments.

Photo Credit :


With online shopping and payments booming, concerns related to data security have also been rising. To prevent the misuse of bank account holder’s details, RBI has allowed tokenisation of the cards. A latest circular posted on the RBI’s website said, “With effect from January 1, 2022, no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data. Any such data stored previously shall be purged.”

This will disallow the merchant sites, like Amazon and Flipkart, and Point-of-Sales machines to store the card details of the user.

What is 'tokenisation'?

Tokenisation is a process in which the card details are encrypted into an alternative code or a ‘token’. This 'token' is then used by the merchant and the customer to complete the payment. The user need not save their full card details with the merchant. It prevents the merchants from accessing sensitive data and provides the customers with security against possible frauds.

According to RBI, the token will be a combination of the card number, token requestor code and device code. A token requestor is a company that issues the 'token' at the request of the customer. RBI has also directed the card issuers like VISA and Mastercard to play the role of Token Service Providers (TSPs). It further stated, “The ability to tokenise and de-tokenise card data shall be with the same TSP."

What will be the new process of making payments?

The customer will initiate the request to get the token on an app provided by the token requestor. The token requester will forward the request to the TSPs which will issue the ‘token’, complying with all the rules applicable.

The token will then be used to proceed with the payment. While making payments via UPI too, the same token will be used. A ‘token’ once issued, will remain linked to the customer’s device.

The true identity of the customer will remain protected behind the codified ‘token’.

RBI has further announced the tokenisation of Card-on-File (CoF) transactions as well. CoF transactions allow the merchants to store the sensitive data for further use. Majorly, the hospitality sector and the Ecommerce sector store the customer’s card details. This is now done away with.

What is allowed to be stored?

The RBI has, however, allowed card networks to store limited data for ‘Transaction tracking and/ or reconciliation purposes’. According to the circular, “entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards”.

The token requestor, which will provide the user with the token, has not been allowed to store any customer data from January 1, 2022. Also, it is up to the customer to get his/ her card tokenised. The tokenisation has not been made mandatory.

The new step is expected to protect the user data and prevent data leaks from merchants. The rising cases of misuse of stolen card data are expected to go down once tokenisation is implemented.

Tags assigned to this article:
reserve bank of india debit cards online shopping