Why RBI Implemented Card Tokenisation And How It Makes Online Payments Safer

The Reserve Bank of India (RBI) first implemented the Card on File Tokenisation framework to secure the digital ecosystem. After several extensions to give the industry time to prepare, the rules officially went into effect on October 1, 2022.. Since then, merchants, and payment aggregators have been prohibited from storing actual customer card information on their servers.

The adoption of this technology has been widespread. By the end of 2024, more than 91 crore tokens have been issued across the country. By the beginning of 2025, almost 98 per cent of e-commerce transactions were being carried out by using tokens instead of raw data from cards, according to data from RBI.

Earlier, many websites and mobile apps stored card details of customers, such as the 16 digit card number, expiry date and more, to facilitate faster checkouts. While this made payments convenient, there were risks. If a merchant's system was hacked or there was a data breach, the card details stored in the system would be at risk and could be misused.

Under the tokenisation system, actual details of a transaction card are substituted with a randomly generated token. This token is used to process the payment without the actual card number being seen. As a result, merchants no longer store sensitive card information on their systems anymore.

Why RBI Introduced Tokenisation

RBI introduced card tokenisation to improve the safety of digital payments.

Online shopping, food delivery and travel bookings have increased dramatically in recent years. Many users prefer to store their card details on these platforms to make faster payments. However, in order to store card data across multiple websites, there was a high chance of data breaches and financial fraud.

To mitigate this threat, RBI had asked the merchants and payment aggregators to not retain the card details of customers. Instead, card information stored for future payments had to be converted to tokens.

This involves moving the storage of sensitive card data from the merchants and placing it on the shoulders of the authorised entities, such as card networks and banks, which usually have higher security systems and more stringent safeguards.

How Tokenised Payments Work

Tokenisation operates by a very simple process when a user saves a card for online payments. When a customer puts the card information on a website or mobile application and selects to store the card, the card network receives a request from the platform. With the sanction of the issuing bank, a unique token is created for that card.

This token is associated specifically with the card, the merchant platform, and with the user's device. The merchant stores this token instead of the card number itself.

When the user makes another payment on the same platform, the token stored is used to process the transaction. The payment network then maps the token back to the original card details in a secure system and processes the transaction. Since the merchant only stores the token, the actual card details are protected.

What It Means For Card Users

For customers, tokenisation operates mostly in the background and will not significantly alter the payment experience.

If the tokenisation of a card is practised on a certain website or application, the user will be able to continue making payments faster without having to input card details every time. However, the first time a card is saved, a user has to give consent and prove the request with an additional authentication step, such as an OTP.

Users may also opt not to tokenise their cards. In that case, they will have to type in the card information for each online purchase.

Card tokenisation does not incur any extra charge to the customers. Users can also remove tokens from merchant platforms if they no longer want to keep saving their cards.