Tokenisation FAQs
Tokenisation and the 2021 RBI guidelines.
Given below are FAQs on the Tokenisation guidelines issued by RBI that businesses must adopt by Sep 2022:
Tokenisation is the process by which the original card number / Primary Account Number (PAN) is replaced with a surrogate value called a token
.
No, the token
will not be visible to the cardholder. It will be managed between the Token Requestor(TR) and Network.
Card networks and Card issuers are the only parties that can now save plain text cards. All other parties (Payment Acquirers (PA), Payment Gateway (PG), acquiring banks and businesses) can only have a tokenised card. They cannot save a plain text card.
Yes, customer consent and additional factor of authentication (AFA) are required for saving a card/creating a token. This can be the same 2FA used during the first transaction.
The last 4 digits of the actual card number and a card issuer name can be stored by entities for tracking/analytical purposes. Apart from this, metadata such as network name, issuer name and so on can continue being stored.
Issuing banks are expected to provide a portal where customers can view and delete the list of cards saved online across all businesses. Businesses are also expected to provide an interface for their customers to view and delete saved cards.
Yes. As per the RBI guidelines, saved cards will be tokenised with networks and issuers to ensure compliance.
It is possible that you have not integrated with our TokenHQ APIs, an RBI-compliant solution that allows your customers to make saved card payments.
Yes, Razorpay is now compliant with RBI guidelines on all networks.
Razorpay’s TokenHQ has a record success rate of >99% for token creation across all networks.
While the TokenHQ solution will be instantly enabled for your account, the onboarding process and turnaround time are different for each network. Our support team will start the onboarding process as soon as your account is activated.
Razorpay’s TokenHQ has a record success rate of ~80-83% for token-based payment processing across all networks.
In light of the new tokenisation guidelines, these saved cards of the customers are no longer compliant to be stored with us. Our TokenHQ product is an RBI-compliant solution that will help customers save their cards across networks.
As part of the RBI guidelines, sensitive card information that includes card number, BIN/IIN, cardholder name, expiry details of the card are no longer compliant to be shared from Oct 1, 2022.
Once the onboarding process with each network is complete, using TokenHQ APIs, your customers will be able to save cards on your platform.
- There will be no impact on refunds with normal speed.
- Since aggregators like ourselves are only allowed to store card data up to a maximum of T+4 days, Instant Refunds will be possible until Razorpay settles the payment amount with the merchant, up to a maximum of 4 days from the date of transaction.
- Instant Refunds for payments with tokenised cards will be possible for VISA Debit Cards only, and refunds for all other card payments will be made via Razorpay’s normal refunds.
Several APIs are impacted due to the guidelines. Based on your integration with Razorpay, the following APIs are altered to return dummy values instead of sensitive card information.
- .
- .
- .
- .
- .
- .
- .
- Since aggregators like ourselves are only allowed to store card data up to a maximum of T+4 days, Instant Refunds for guest checkout transactions will be possible up to a maximum of 4 days from the date of transaction.
- Instant Refunds for payments with tokenized cards will be possible for VISA Debit Cards only. Refunds for all other card payments will be made via Razorpay’s .
As per the RBI circular, Razorpay can have the card data upto T+4 or settlement date (whichever is earlier). By this logic, Instant Refunds will be possible up to a maximum of 4 days from the date of transaction. For tokenised cards, Instant Refunds will be available only for VISA debit cards.
Since aggregators like ourselves are only allowed to store card data up to a maximum of T+4 days, Instant Refunds will be possible up to a maximum of 4 days from the date of transaction. You can still provide refunds to your customers using
For all the
downloaded from the Razorpay Dashboard, and the custom reports configured by your support POC, the changes will be as follows. These will be applicable for both older reports as well as newer reports getting generated.- Cardholder name will be returned as the blank string "".
- Instead of the entire card number, only the last four digits will be shared.
- For international cards, reports will continue to show the complete cardholder name and card number.
Was this page helpful?
ON THIS PAGE