Card Tokenisation: Plugging Personal Information Leaks

Plastic money still captures a large portion of the market share despite the growing use of the Unified Payment Interface (UPI).  Recent data released by the Reserve Bank of India (RBI) indicates that there has been an increase of 16.3% year after year in the usage of debit and credit cards by Indian consumers in the last decade.

Nevertheless, this decade marked a shift to digital technology, augmented by governmental decisions and policies such as demonetisation, the introduction of UPI, and Digital India program, etc. that enabled Indian consumers to make a smooth shift to online payment solutions. The pandemic has also played a big role in this revolution. With face-to-face interaction minimized, the focus on digital products and payments skyrocketed.

Digital transactions are now considered the most sought-after payment mechanism in comparison to hard cash or currency for availing services and goods. As the number of transactions made through a mobile application or platform increases, customers usually prefer to save their card information on the merchant’s site or platform. Information saved on these sites and platforms is critical financial data of consumers and is considered sensitive personal data. The risk of misuse of such sensitive financial data by hackers or fraudsters looms over every individual, and cases of such misuse have garnered the attention of the authorities.

The RBI, through its notification dated 17th March 2020 had made it mandatory for payment aggregators to disable the storage of customer card credentials within the database or server of the company. Though a fixed date for implementation of this rule was not decided, RBI later issued notifications directing merchants to comply with this recommendation of not storing card data by 31st December 2021. Since then, the RBI has been extending the timeline for implementing tokenisation and as of today, the RBI has instructed all parties to delete the card information before 1st October 2022.

Card tokenisation is a process by which sensitive data of the cardholder is removed from the sites/platforms and replaced with randomly generated numbers and letters from the company’s internal network called tokens.


The groundwork for regulating this space of online payment and ensuring the safety of cardholders has been in line for a couple of years. As India is yet to formulate a dedicated data protection bill, the safety of a cardholder’s sensitive personal data stored on the merchant’s website was one of the major concerns of cardholders as well as the regulators. Moreover, the increase in data theft and leakage of debit and credit card details of cardholders did not really help in containing the concerns of the stakeholders.

In January 2019, the RBI released a notification whereby it permitted card networks to tokenise. This choice of tokenisation was made optional for the customers, and the permission was extended to all use cases like QR code-based payments, NFC, etc. However, such services could only be offered through mobile phones and tablets, and no other devices were permitted to offer such a facility at that time.

RBI later released the guidelines on the Regulation of Payment Aggregators and Payment Gateways, which made it mandatory for a payment gateway to not store customer card credentials within the database or on the server accessed by the merchant, with effect from 30th June 2021. This move reiterated the importance of safeguarding customer card details and the focus once again shifted to the introduction of a tokenisation scheme. Though the guidelines did not mention specifically tokenisation, they did find mention in the subsequent notification released by the RBI on Payment Aggregators and Payment Gateways on March 31, 2021. The guidelines called upon payment system providers to put in place workable solutions such as tokenisation to safeguard the interests of the cardholder.  In order to eliminate any ambiguity in the definition of ‘payment aggregators’ as defined in the Payment Aggregators Guidelines, the RBI explicitly stated that the Payment Aggregators Guidelines applied to e-commerce marketplaces that engaged in direct payment aggregation, and to that extent, e-commerce online markets that used the services of a payment aggregator were to be regarded as merchants.

The RBI further released a notification in August 2021 amending the 2019 notification by extending the scope of permitted devices that could use tokenisation. The present framework for tokenisation was extended to include consumer devices such as laptops, IOT devices, wearable devices, etc. A subsequent notification issued in September 2021 further allowed card-on files tokenisation. This notification permitted card issuers to offer the services of tokenisation as Token Service Providers (TSPs). The TSPs were permitted to tokenise only those cards that were affiliated with or issued by them. The notification also emphasised that no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data from 1st January 2022. Entities were only allowed to store limited data, like the last four digits of the actual card number and the card issuer’s name, for compliance and tracking purposes.

The earlier notification of removing all card details of customers with effect from 30th June 2021 was again extended to 31st December 2021 in view of the huge compliance hassle. This was again extended until 30th June 2022 and finally, the government set the latest deadline on 1st October 2022.

Functioning of Tokens

An e-commerce website, mobile application, or any merchant site for that matter, offers different payment methods to its consumers, which may range from cash to debit/credit card payment to UPI. When it comes to the authentication of the debit or credit card used by the consumer, the entire responsibility for authenticating the same vests is with the Payment Gateway service provider. The e-commerce platform or websites merely act as an intermediary to facilitate the trade and it is the responsibility of the Payment Gateway service provider to provide the technology to these platforms and websites that authenticates the card details. This process of authentication done by the Payment Gateway service provider is known as 2FA i.e., two-factor authentication. The process of authentication involves the registered bank of the customer sending a Time Password (OTP) to the registered phone number of the consumer to close the transaction. The OTP is the key that helps authenticate that the customer is the rightful owner of the card. Upon entering the correct OTP, the Payment Gateway service provider authenticates it and completes the transaction.

In general, a merchant website or an online portal is only allowed to store details like the cardholder’s name, the 16-digit number on the front of the card, the expiration date of the card and the service code, which is located within the magnetic stripe of the card. On the other hand, these portals and sites are strictly prohibited from storing information such as full magnetic stripe information, PIN, PIN Block and CVV/CVC number of the card.

After the guidelines kicked in on October 1, all the card details of individuals stored on the merchant’s website were automatically erased. All information concerning the cardholder, like the expiry date, PAN, etc., is replaced by the token. This token is a one-time alphanumeric number that has no connection with the cardholder’s account. Unlike the previous system, these tokens so generated do not contain any sensitive personal data of the cardholder.

An individual can tokenise his/her card in the following ways:

  1. The individual will have to visit the preferred merchant’s website for the purchase of any goods or services.
  2. The website will then direct the individual to the preferred payment option, and the individual will be able to enter his/her card details and initiate the transaction.
  3. The website will also contain another option called “secure your card as per RBI guidelines,” which basically generates tokens for the card.
  4. As soon as the individual opts for that option, a One-time Password (OTP) will be generated and sent via SMS or email to the individual.
  5. With the OTP being entered, card details are sent to the bank for tokenisation, which is then sent back to the merchant for storing the same for the purpose of customer identification.

The token so generated from one merchant website will not be applicable to every other merchant website. The cardholder will have to create separate tokens for each merchant website, and the use of the same token will not help in initiating the transaction.

Benefits of Tokenisation

Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.

Tokenisation helps reduce data theft and leaks, as the tokens are in no way connected to an individual’s personal information. Moreover, the process of replacing sensitive personal information with tokens helps build trust and confidence among consumers.

Effects of these Regulations on the Industry

The RBI is striving to organize payment aggregators by bringing non-banking payment aggregators under its regulation. The RBI’s main goal in introducing these guidelines is to reduce fraud and protect customers’ interests. Placing the burden on payment aggregators to ensure that merchants are genuine and have no malicious intent will go a long way towards removing dishonest merchants from the market and safeguarding customers’ interests.

Payment Aggregators are instructed to credit reimbursements to the primary payment source rather than the e-wallet account. Previously, refunds were credited to an e-wallet, posing a challenge for consumers to utilize the monies somewhere else.

Although the RBI has reduced the required net worth from INR 100 crores to INR 25 crores, it will not be sufficient for small-sized entities (including start-ups) seeking to enter the industry. Many existing players will be forced to exit the market if they fail to meet the net worth requirements. Moreover, small businesses operating as payment aggregators would find it difficult to implement the required baseline technology suggestions owing to the high implementation costs. This will result in the removal of market competition, leading to an oligopoly, which would harm merchants’ interests in the long term.

It can be stated that these guidelines represent an important advancement in the Indian fintech industry and assure that customers’ overall interests are secured.


With the current atmosphere where there is intense scrutiny over an individual’s personal information, the scheme of tokenisation is a breath of relief for a lot of privacy enthusiasts and the public in general.

Image Credits: Photo by

Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.