Skip to main content

What is tokenisation of card transactions?

Reserve Bank of India (RBI) has issued guidelines on tokenisation of card transactions. 

What is tokenisation?

Tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall be unique for a combination of card, token requestor and device.

What is de-tokenisation?

Conversion of the token back to actual card details is known as de-tokenisation.

What is the benefit of tokenisation?

As the actual card details are not shared with the merchant during a transaction, it is expected to make card transactions more safe, secure and convenient for the users. 

Which devices or use cases are covered for tokenisation?

Authorised card payment networks are allowed to offer card tokenisation services to any token requestor (i.e., third party app provider), through mobile phones, tablets, laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc. for all use cases / channels (e.g., contactless card transactions, payments through QR codes, apps etc.)

What are the conditions for offering tokenisation facility?

  • Registration of card on token requestor’s app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA). It shall not be mandatory for the customers to tokenise their cards.
  • Customers shall have option to register / de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.
  • Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions.
  • A customer shall have option to request for tokenisation of any number of cards. For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
  • Customers shall be given option to tokenise their cards on any number of devices.
  • No charges should be recovered from the customer for availing tokenisation service.
  • All extant instructions of Reserve Bank of India (RBI) on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions as well.
  • Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system audit at frequent intervals, of all entities involved in providing card tokenisation services to customers. This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In).

What is the deadline for tokenisation of cards?

  • With effect from October 01, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
  • For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.

How to get card tokenised?

The card holder can get the card tokenised by initiating a request on the app provided by the token requestor. The token requestor will forward the request to the card network which, with the consent of the card issuer, will issue a token corresponding to the combination of the card, the token requestor, and the device.

(Updated on January 06, 2024)

The tokenisation facility will also be offered directly through card issuing banks / institutions enabling cardholders to tokenise their cards for multiple merchant sites through a single process. 

  • Generation of CoF Tokens for a card, through the card issuer, can be enabled through mobile banking and internet banking channels.
  • CoFT generation shall be done only on explicit customer consent, and with AFA validation. If the cardholder selects multiple merchants for which to tokenise his / her card, AFA validation may be combined for all these merchants.
  • The tokens thus generated shall be made available on the merchant’s payment page, in the cardholder’s account with the merchant.
  • The cardholder may tokenise the card either on receipt of the new card or later.
  • The card issuer shall provide a complete list of merchants for whom it can provide tokenisation services and the cardholder can make his selection from the list.
  • The card token may be so issued either by the card network or the issuer or both.

Whom to approach in case of issues with tokenisation?

In case of any issues with regard to the tokenisation or loss of device, it shall be reported to / raised with the card issuer.


References

Reserve Bank of India. (2019, January 08). 'Tokenisation – Card transactions. Retrieved from https://rbi.org.in/Scripts/NotificationUser.aspx?Id=11449&Mode=0

Reserve Bank of India. (2021, August 25). 'Tokenisation – Card Transactions : Extending the Scope of Permitted Devices'. Retrieved from https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12152&Mode=0

Reserve Bank of India. (2021, September 07). 'Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12159&Mode=0

Reserve Bank of India. (2022, September 26). 'FAQ-Device based Tokenisation – Card Transactions'. Retrieved from https://rbi.org.in/Scripts/FAQView.aspx?Id=129

Reserve Bank of India. (2022, July 28). 'Restriction on Storage of Actual Card Data [i.e. Card-on-File (CoF)]'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12363&Mode=0

Reserve Bank of India. (2023, December 20). 'Card-on-File Tokenisation (CoFT) – Enabling Tokenisation through Card Issuing Banks'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12573&Mode=0


Follow at - Telegram   Instagram   LinkedIn   Twitter

Labels:

Comments

Post a Comment

Popular Posts

Modified Interest Subvention Scheme for Agricultural Loans

Reserve Bank of India (RBI) has published the modified interest subvention scheme (MISS) for short term loans for agriculture and allied activities availed through Kisan Credit Card (KCC) during the financial year 2025-26. Which loans are covered under modified interest subvention scheme (MISS)? The short-term crop loans and short-term loans for allied activities including animal husbandry, dairy, fisheries, bee keeping etc. up to an overall limit of ₹3 lakh to farmers through KCC during the year 2025-26 will be covered for interest subvention. Which lending institutions are covered under MISS? The MISS is applicable to the lending institutions viz. Public Sector Banks (PSBs) and Private Sector Banks (in respect of loans given by their rural and semi-urban branches only), Small Finance Banks (SFBs) and computerized Primary Agriculture Cooperative Societies (PACS) ceded with Scheduled Commercial Banks (SCBs), on use of their own resources.  How much is the interest subvention? The a...
Post a Comment
Read more

Internal Ombudsman for Regulated Entities (Banks, NBFCs, PPI Issuers and CICs)

Reserve Bank of India (RBI) has issued directions on Internal Ombudsman for regulated entities. To whom shall the directions on Internal Ombudsman (IO) be applicable? The directions on IO shall be applicable to the following Regulated Entities (REs) – Commercial Banks (other than Small Finance Banks, Payment Banks, and Local Area Banks) having 10 or more banking outlets in India as on March 31, 2025, whether such bank is incorporated in / outside India Small Finance Banks having 10 or more banking outlets in India as on March 31, 2025 Payments Banks having 10 or more banking outlets in India as on March 31, 2025 Non-Banking Financial Companies (NBFCs) fulfilling the following criteria as on March 31, 2025 – Deposit-taking NBFCs (NBFCs-D) with 10 or more branches Non-Deposit taking NBFCs (NBFCs-ND) with asset size of ₹5,000 crore and above and having public customer interface Non-Bank Prepaid Payment Instruments Issuers having more than 1 crore Prepaid Payment Instruments (PPIs) outstan...
Post a Comment
Read more

Reserve Bank - Integrated Ombudsman Scheme, 2026 (RB-IOS, 2026)

Reserve Bank of India (RBI) has issued Reserve Bank - Integrated Ombudsman Scheme, 2026. Who is RBI Ombudsman and RBI Deputy Ombudsman? RBI may appoint one or more of its officers as RBI Ombudsman and RBI Deputy Ombudsman, to carry out the functions entrusted to them under the Reserve Bank - Integrated Ombudsman Scheme (RB-IOS).  The appointment of RBI Ombudsman or RBI Deputy Ombudsman shall be for up to 3 years at a time. RBI Ombudsman shall have the power to examine and close all complaints.   RBI Deputy Ombudsman shall have the power to close those complaints falling under clause 10 of the RB-IOS (i.e. non-maintainable complaints) and complaints resolved as per the provisions of the clause 14(8)(a) to 14(8)(c) of the RB-IOS (i.e. complaint resolved / withdrawn). Which entities are covered under the RB-IOS? RB-IOS shall be applicable to the following Regulated Entities (REs) – Commercial Banks Regional Rural Banks  State Co-operative Banks Central Co-operative Bank...
Post a Comment
Read more

Digital Payments Awareness Week 2026

Reserve Bank of India (RBI) is observing digital payments awareness week from March 09 to 15, 2026. Digital Payments Awareness Week (DPAW) Digital Payments Awareness Week (DPAW) is an initiative to highlight the impact and importance of digital payments and to create awareness about safe usage of digital payment products.  Digital Payments Awareness Week (DPAW) 2026 Reserve Bank of India (RBI) is observing DPAW 2026 from March 09 to 15, 2026.  Under the mission ‘Har Payment Digital’, the theme for the current year is ‘Thoda Dhyan Se’ (be alert/ be careful). The theme emphasises the safe use of digital payments. ‘Har Payment Digital’ mission RBI had launched the mission ‘Har Payment Digital’ on the occasion of the DPAW 2023. This is part of RBI’s endeavour to make every person in India a user of digital payments. Previous Digital Payments Awareness Weeks (DPAWs) Year Theme 2025 ‘India Pays Digitally’ under the mission ‘Har Payment Digital’ ...
Post a Comment
Read more

FEMA - Regulations on Guarantees

Reserve Bank of India (RBI) had issued regulations governing guarantees under the Foreign Exchange Management Act, 1999 (FEMA). What is a guarantee? A guarantee, including a counter-guarantee, means a contract, by whatever name called, to perform the promise, or discharge a debt, obligation or other liability (including a portfolio of debts, obligations or other liabilities), in the event of default by the principal debtor. Who are the participants in a guarantee transaction? Principal debtor – a person in respect of whose default the guarantee is given. Surety – a person who gives a guarantee. Creditor – a person to whom the guarantee is given. When can a person resident in India act as surety / principal debtor? A person resident in India may act as a surety / principal debtor for a guarantee, subject to conditions that – The underlying transaction for which the guarantee is being given or arranged is not prohibited under FEMA guidelines. The surety and the principal debtor are eligi...
Post a Comment
Read more