As per RBI mandate starting 1st January 2022, actual card number, CVV and Expiry date and any
other sensitive information related to cards cannot be stored by merchants or payment
aggregators/gateways for processing online transactions.
What is tokenisation?
Tokenisation refers to replacement of actual or clear card number with an alternate code called the
“Token.” This shall be unique for a combination of card, token requestor (i.e. the entity which accepts
request from the customer for tokenisation of a card and passes it on to the card network to issue a
corresponding token) and the merchant (token requestor and merchant may or may not be the same
entity).
What is de-tokenisation?
Conversion of the token back to actual card details is known as de-tokenisation.
Who can perform tokenisation and de-tokenisation?
Tokenisation and de-tokenisation can be performed only by the authorised Card Networks like
Visa/Mastercard/American Express/Rupay and Card Issuing Banks.
What are the charges that the customer need to pay for availing this service?
The customer need not pay any charges for availing this service.
Who are the parties / stakeholders in a tokenisation transaction?
Normally, in a tokenised card transaction, parties / stakeholders involved are merchant, the
merchant’s acquirer, card payment network, token requestor, issuer and customer. However, an
entity, other than those indicated, may also participate in the transaction.
Are the customer card details safe after tokenisation?
Actual card data, token and other relevant details are stored in a secure mode by the authorised
card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or
any other card detail. Card networks are also mandated to get the token requestor certified for safety
and security that conform to international best practices / globally accepted standards.
How does the process of registration for a tokenisation request work?
The registration for a tokenisation request is done only with explicit customer consent through
Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection
of check box, radio button, etc.
Where will these Tokens get used?
Once created, the Tokenised card details will be used in place of an actual card number for future
online purchases initiated or instructed by the card holder.
What is the benefit of tokenisation?
A tokenised card transaction is considered safer as the actual card details are not shared / stored
with the merchants to perform the transaction.
How can the tokenisation be carried?
Step 1 – The card holder can get the card tokenised by initiating a request on the website/app
provided by the token requestor and any such similar facility provided by the merchant.
Step 2 – The token requestor / merchant will forward the request directly to the Bank which issued
the applicable credit card or to Visa / Mastercard / American Express, with the consent of the card
issuing Bank.
Step 3 – The party receiving the request from Token requester, will issue a token corresponding to
the combination of the card, the token requestor, and the merchant.
Is the Tokenisation guideline applicable for both Credit and Debit cards?
Yes. Starting 1st Jan 2022, both Debit and Credit cards must be Tokenised.
Can the customer select which card to be used in case he / she has more than one card
tokenised?
For performing any transaction, the customer shall be free to use any of the cards registered with the
token requestor app/merchant.
How can I manage my tokenised cards?
Bank will provide a portal to the card holders to view and manage the tokenised cards. Card holders
can view / delete tokens for the respective cards through this portal. Customers can also call the
Phone Banking service to place a request to manage tokenized cards.
Will tokenisation have any impact on the POS transactions that the card holder does at
merchant outlets?
No. Tokenisation is only required for conducting the online transactions.
Is tokenisation of card mandatory for a customer?
No, a customer can choose whether to let his / her card tokenised. If not Tokenised, starting 1st Jan
2022, the card holder must enter the full card number, CVV and Expiry date every time to complete
their online transactions.
Once tokenised, how will the customer see the card details on the merchant page?
The customer will see the last four digits of the card on the merchant page.
What will happen to the token once the customer’s card gets replaced, renewed, reissued, or
upgraded?
The customer should again visit the merchant page and create a fresh token.
Will the card tokenisation need to be done at every merchant?
A token must be unique to the card at a specific merchant. If the customer intends to have a card on
file at different merchants, then tokens must be created at all the merchants.
If the card holder is having three different cards, then is the card holder expected to create 3
different tokens at the same merchant.
As mentioned earlier, token must be unique for a combination of card and merchant.
Whom shall the customer contact in case of any issues with his / her tokenised card?
All complaints should be made to the card issuers.
Can a card issuer refuse tokenisation of a particular card?
Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be
registered by a token requestor/merchant.
Where can more information on RBI instructions on tokenisation be found?
The circular issued by RBI on tokenisation is available on the RBI website at the path
https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=11449&fn=9&Mode=0
Disclaimer
These FAQs are issued by the Bank for information and general guidance purposes only. The Bank
will not be held responsible for actions taken and / or decisions made on the basis of the same. For
clarifications or interpretations, if any, one may be guided by the relevant circulars and notifications
issued from time to time by the Reserve Bank of India.