New rules for debit and credit cardholders from next month


The Reserve Bank of India (RBI) has mandated the replacement of all credit and debit card data used in online, point-of-sale and app transactions with unique tokens by September 30 from This year. The deadline was extended by three months from July.

Here’s everything you need to know about the new rules for debit and credit cardholders coming into effect from October:

What is card tokenization?

According to the RBI, tokenization refers to replacing the actual card details with an alternate code called the “token”.

What is the benefit of tokenization?

A tokenized card transaction is considered more secure because the actual card details are not shared with the merchant while the transaction is being processed.

How can tokenization be achieved?

The cardholder can obtain the tokenized card by initiating a request on the application provided by the token requester. The token requester will forward the request to the card network which, with the agreement of the card issuer, will issue a token corresponding to the combination of card, token requester and device.

What are the fees that the customer must pay to benefit from this service?

The customer does not have to pay any fees to benefit from this service.

Who can perform tokenization?

Tokenization can only be performed by the authorized card network and the list of authorized entities is available on the RBI website.

What are the fees that the customer must pay to benefit from this service?

The customer does not have to pay any fees to benefit from this service.

What are the use cases (instances/scenarios) for which tokenization has been allowed?

Tokenization has been enabled via mobile phones and/or tablets for all use cases/channels (e.g. contactless card transactions, payments via QR codes, apps, etc.)

Is the tokenization of a card mandatory for a customer?

No, a customer can choose whether or not to leave their tokenized card. Those who do not wish to create a token can continue to transact as before by manually entering card details when initiating the transaction.

Are customer card details safe after tokenization?

Actual card data, token and other relevant details are stored securely by authorized card networks. The token requestor cannot store the Master Account Number (PAN), i.e. card number or any other card details. Card networks are also mandated to get the token applicant certified for safety and security that conforms to international best practices/globally accepted standards.

How does the registration process work for a tokenization request?

Registration of a tokenization request is only done with the explicit consent of the customer via an additional authentication factor (AFA), and not by means of a forced / default / automatic selection of checkboxes, radio buttons , etc. The customer will also have the choice of selecting the use case and setting the limits.

Is there a limit to the number of cards a customer can request for tokenization?

A client can request the tokenization of any number of cards. To make a transaction, the customer is free to use any of the cards registered with the token request application.

Who should the customer contact in the event of a problem with their token card? Where and how can he/she report the loss of the device?

All complaints should be directed to the card issuers. Card issuers should ensure easy access for customers to report the loss of an “identified device” or any other such event that could expose tokens to unauthorized use.

Can a card issuer refuse tokenization of a particular card?

Rep. Based on the perception of risk, etc., card issuers can decide whether or not to allow registration of cards issued by them by a token applicant.

Catch all the trade news, market news, breaking news and latest updates on Live Mint. Download the Mint News app to get daily market updates.

More less

To subscribe to Mint Bulletins

* Enter a valid email

* Thank you for subscribing to our newsletter.

Post your comment


Comments are closed.