Tokenization of credit and debit cards

Tokenization has been introduced to enhance your online shopping security while using credit card or debit cards. It was to go live from 1st January, 2022, but the merchants have requested for more time as only a very small percentage of online shoppers have tokenized their cards. So the RBI extended the deadline for another 6 months till the end of June 2022.

In recent crackdown on data security and privacy safeguards, the Reserve Bank of India (RBI) has brought in a regulation for e-commerce providers that prevents them from saving your card details, like the 16-digit card number and expiry date, on their servers and platforms. This is applicable to all e-commerce merchants like Amazon, Flipkart, BigBasket, Myntra, Ixigo, and more. But to make it convenient for the consumer while providing for better security of your card details, you can safely store your card details through a new process called “Tokenization.”

Let us understand more about this new security measure for card safety

Whenever a purchase is made using a card, be it debit or credit card, on any of the e-commerce websites, the cardholders are provided an option to save the card details on it so that they do not have to re-enter the card, expiry date, etc. while making the next purchase. The cardholder can simply use the saved date from the website and enter the CVV number and applicable password to complete the purchase.

Even though this way of storing information for the future was convenient, this particular way was very risky. There are risks of you accessing the website just once during the year, maybe to book a flight ticket for a particular trip or to order something that was on sale only during a particular time of the year and then completely forgetting about your stored information. If a hacker hacks these websites, then he/she could get access to all your financial information stored on them. According to Harshiil Mathur, CEO and Co-Founder at Razorpay, “There is a high chance some of the merchants will not know how to store secure card information.”

What Is Tokenization? 

Tokenization has been introduced to save cardholders from online risks and fraud. This is a process of converting the card details into a unique token that is specific to a card and only applicable to one merchant at a time. This token uses complex codes to hide the details of the card, without which no one can misuse it. This token can also be easily saved on the online shopping portals.

Websites are prohibited from saving a user’s card details online on its servers as before. The user will have to enter the card number, expiry date, and CVV every time they make a purchase or create a token for the website and save a secured token for easier sales.

According to Reeju Datta, Co-Founder at Cashfree Payment, “In the past, there have been instances of data leaks from merchant websites; digital transactions are also growing significantly, requiring added safety.” So, this is a precautionary step mandated by the regulator to enhance card data security. “

See how to check your credit score through CreditMantri today! 

How Does Tokenization Work? 

The user needs to add the card details on the payment page and opt for a token. The merchant forwards these details to the bank or the card networks like Visa, Rupay, Mastercard, DinersClub, etc. 

A token is generated and is sent back to the merchant, which is saved on the website. 

This saved token can be used to make a secured payment at the check-out for any of the next transactions made on the website. 

You can only see the masked details of your card, like the last four digits of the card number, and you only have to enter the CVV to complete your transaction. 

Tokenization is not mandatory, but it makes it easy for those who frequently shop online and wish to save their card details online for ease of use.

As a customer, you don’t need to remember the token. This ensures that the end-customer experience is not affected while making the payment. 

Tokenization Charges and Fees

Tokenization is absolutely free and can be used by anyone. 

The RBI has currently applied it only to domestic cards and it is not applicable to international cards. Cardholders can request tokenization for any number of cards they have. 

If a merchant has not integrated with the card network and the bank issuing the cards by the deadline, you will have to enter the card details every time, as you cannot store your card details in the token format.

Is A Token Unique To A Card And A Merchant? 

Yes, a token is limited to just one card and one merchant. For example, if a user creates a token using an HDFC Bank Credit card on Amazon, then this same card will have a different token on Flipkart. The cardholder is not required to remember the token linked with the cards. Multiple tokens using different cards can be made for the same merchant, or the same card can be used to make different tokens on different merchant websites.

How to Manage Tokens? 

The issuer banks will provide a dedicated space or a portal where the tokenized cards can be managed. The users will have access to a dashboard which will show their cards, the tokens created with them, and the merchants with whom they have been linked. Users can delete the tokens from the website that they do not use.

When to Create Fresh Tokens? 

Whenever a user’s card is replaced, renewed, reissued, or upgraded, they need to logon to the merchant website and create a fresh token. This is because the new card comes with a new number and a different CVV than what was used for the previous token.


With most shopping done online these days, consumers have to be vigilant to safeguard their financial information at all times. The amount of online fraud and theft runs into thousands of crores every year with millions of consumers cheated.  Even though Tokenization is not mandatory, it is recommended that consumers shift to this safer method for their own data security and online financial protection. 

Leave a Reply

Your email address will not be published.