In the wake of businesses moving online and adapting to the digital payments ecosystem, the Reserve Bank of India (RBI) has issued a circular (dated September 7, 2021) that prohibits businesses, payment aggregators, payment gateways and acquiring banks from saving customer card details on their servers from July 1, 2022. 

The circular states that the only entities allowed to store card information will be issuing banks (the bank which issues the card) and card networks (Visa, Mastercard, Rupay, etc.).

The main aim of this move is to prevent online fraud by helping keep the critical financial information of customers secure from card data breaches, which allow malicious actors to steal funds from unsuspecting individuals and organisations. 

While it is true that the RBI now prohibits you from saving your customers’ card details when accepting digital payments, the apex body also provides a workaround – ‘Card-on-File Tokenisation’. 

Understanding Card-on-File Tokenisation 

What is tokenisation?

Tokenisation is the process by which the original card number or Primary Account Number is replaced with a surrogate value called a ‘token’. 

Card-on-File Tokenisation

In this process, tokens are created for customer cards to secure them from online frauds. These tokens are managed between the token requestor and the network, thereby allowing customers to store their card details in a secure and compliant fashion.

The relationship between token and card-related data is saved in a vault owned by the card networks. As a result, customer card details will be safer than ever before. 

The apex body has recommended that businesses, payment aggregators, payment gateways and acquiring banks in the payment ecosystem – particularly payment service providers – use and store ‘tokens’ instead of card information through tokenisation. 

Check out the RBI circular here

What does tokenisation mean for digital payments?

Most businesses adopted the online-first model post the outbreak of the COVID-19 pandemic, making digital payments a necessity.


The new regulation by the RBI implies your customers will have to bear the inconvenience of entering their credit or debit card details every time they make an online payment. Besides customer experience, this change can also impact your business in other ways.  

  • Increased cart abandonment – This will result in an increase in drop-offs at the checkout page and will lead to a decline in revenue
  • Loss of market share – Customers will migrate to competing businesses that offer tokenisation since it will provide a superior experience to customers
  • Loss of personalisation – This will also prevent businesses from offering bespoke offers and promotions to customers based on saved and prior purchase history

Also read: Tokenisation and its impact on Online Payments 

If you are worried about how to face these challenges, here is a reliable industry-first tokenisation solution by Razorpay.

Razorpay TokenHQ: Enabling seamless card tokenisation

Razorpay TokenHQ, India’s first RBI compliant card tokenisation solution, allows businesses to continue offering their customers a saved card experience with the help of a unified platform that connects with various networks such as VISA, Mastercard, Rupay, etc., as well as the issuing banks.


Businesses can leverage Razorpay’s local vault as well as a global vault to offer their customers a seamless checkout experience. If you’re a business using Razorpay’s standard checkout/custom checkout capability, card tokenisation will be auto-enabled.

If you have an S2S (server to server) integration with Razorpay, you can use developer-friendly APIs to easily integrate.

    Liked this article? Subscribe to our weekly newsletter for more.

    Write A Comment

    Disclaimer: Banking Services and Razorpay powered Current Account is provided by Scheduled Banks