RBI Tokenisation for Credit Cards: What It Means for You

Bottom Line: RBI tokenisation means no merchant — from Amazon India to Swiggy — can store your actual credit card number anymore. Instead, they store a unique token that’s useless to hackers. Your cards are safer, and you don’t have to do anything extra.

What Is RBI Tokenisation, in Plain Terms?

Think of it like a hotel key card. Your real room key (your 16-digit card number) stays in the safe. The hotel gives you a plastic card (a token) that only works at that specific hotel, for that specific room, during your stay. If someone steals it, they can’t use it anywhere else.

That’s exactly what RBI mandated for every online merchant in India. When you “save” your HDFC Infinia or SBI SimplyCLICK on Flipkart, Flipkart no longer stores your actual card number. It stores a token — a random string that only works for transactions between your card and Flipkart. A different token is generated for Zomato, a different one for MakeMyTrip, and so on.

The Reserve Bank of India made this mandatory from October 1, 2022. By now, every compliant merchant has switched over. If you’ve noticed that some websites asked you to re-save your card details a while back — that was the tokenisation cutover happening.

Why Did RBI Push This?

India’s online card transaction volume has exploded. Credit card spends crossed Rs 1.8 lakh crore per month in recent data, and online transactions make up a massive chunk. The average online credit card transaction is roughly twice the size of an offline swipe — so the stakes when card data leaks are enormous.

Before tokenisation, merchants stored your raw card details in their databases. One breach at a mid-tier e-commerce site could expose lakhs of card numbers. RBI’s logic was simple: if merchants don’t have real card data, there’s nothing valuable to steal.

The Timeline

Date	What Happened
January 2019	RBI first introduced tokenisation guidelines for mobile payments
September 2021	Extended to Card-on-File (CoF) tokenisation — covering all online merchants
October 1, 2022	Deadline enforced — merchants must delete stored card data and switch to tokens
2023–2025	Banks and card networks (Visa, Mastercard, RuPay) refined the token infrastructure
2026	System is mature — token success rates now match or exceed old saved-card flows

How It Actually Works When You Pay

Here’s what happens behind the scenes when you tap “Pay” on Amazon India with your saved ICICI Amazon Pay card:

You saved your card earlier — Amazon sent your card details to the card network (Visa/Mastercard/RuPay), which created a unique token and sent it back to Amazon. Your real number was deleted.
You hit Pay — Amazon sends the token (not your card number) to the payment gateway.
The card network translates — Visa or Mastercard maps the token back to your actual card number and routes the transaction to your bank (ICICI, in this case).
Your bank authorises — ICICI checks your limit, sends an OTP or processes the transaction, and approves it.
You get your order — The merchant never saw your real card number at any point.

The entire translation happens at the network level. The merchant is completely out of the loop on your actual card details.

What You Need to Do (Almost Nothing)

For most cardholders, tokenisation is invisible. But there are a few things worth knowing:

Re-saving Cards

If a merchant asks you to re-enter and save your card, it’s likely completing the tokenisation process. This is normal. You’ll enter your details once, and a token is created going forward.

One Token Per Merchant

Your Axis Magnus on Myntra has a different token than your Axis Magnus on BookMyShow. This is by design — even if one merchant’s database is breached, the token can’t be used anywhere else.

Guest Checkout Still Works

You can always enter your card number manually for a one-time transaction. That number isn’t stored. Tokenisation only applies to the “save this card for later” flow.

No Impact on Rewards or Cashback

Your HDFC Diners Club Black still earns 3.3% reward rate on online spends. Your SBI BPCL card still gives fuel surcharge waivers. Tokenisation changes how your card number is stored, not how your card benefits work.

Tokenisation vs Other Security Measures

Feature	What It Does	Protects Against
Tokenisation	Replaces card number with a merchant-specific token	Data breaches at merchant end
OTP / 2FA	Requires a one-time password for each transaction	Unauthorised transactions
EMV Chip	Encrypts data during physical swipes/dips	Card cloning at POS terminals
Virtual Card Number	Temporary card number for single use	Both merchant breaches and recurring fraud
Card Lock (in-app)	Disables card for online/international use when not needed	Misuse of stolen card details

Tokenisation doesn’t replace OTP or 2FA — it works alongside them. Think of it as one layer in a multi-layer defence.

What It Means for Frequent Travellers

If you use your Indian credit card on international merchant websites — booking hotels on Agoda, flights on airline websites, or paying for travel insurance — tokenisation applies there too, as long as the transaction is processed through an Indian card network or falls under RBI’s jurisdiction.

However, some international merchants may not support Indian tokenisation standards yet. In those cases, you might find that your saved card doesn’t work and you need to enter details manually. This is more of an inconvenience than a security risk.

For cards like the HDFC Infinia, Axis Atlas, or IDFC FIRST Wealth that are popular among Indian travellers for international bookings, just keep your card details handy for merchants that haven’t integrated with Indian token systems.

Common Myths

“Tokenisation means I need a new card.” No. Your physical and virtual card stays exactly the same. Tokenisation happens entirely in the background.

“My card won’t work on websites anymore.” It will. The checkout experience is nearly identical. Some sites might ask you to re-save your card once.

“Only credit cards are tokenised.” Debit cards, prepaid cards — all cards used online fall under the same RBI mandate.

Understanding India’s Credit Card Rules — The full landscape of RBI regulations every cardholder should know
Best Credit Cards for Online Shopping in India — Cards that maximise rewards on tokenised online transactions
Best Travel Credit Cards for International Trips — Top picks for Indians who book flights and hotels online

Frequently Asked Questions

Is tokenisation mandatory for all merchants in India?

Yes. Since October 1, 2022, no merchant in India can store your actual card details. They must use tokenisation or delete saved card data entirely.

Do I need to pay anything for tokenisation?

No. Tokenisation is completely free for cardholders. Your bank and the card network handle it behind the scenes.

Will tokenisation slow down my online payments?

No. In fact, token-based transactions are now as fast or faster than the old saved-card method. Banks have optimised the infrastructure over the past three years.

What happens if I get a replacement card from my bank?

When your bank issues a new card (due to expiry, loss, or upgrade), the old tokens are deactivated. You’ll need to re-save your new card on each merchant, which generates fresh tokens.

Can I see which merchants have my card tokenised?

Yes, most banks now show token details in their mobile apps. Check your HDFC, ICICI, or SBI card app under “Manage Tokens” or “Card on File” settings. You can also deregister tokens for merchants you no longer use.

Does tokenisation protect against UPI fraud or phishing?

No. Tokenisation specifically protects stored card data at the merchant end. It doesn’t prevent social engineering attacks where someone tricks you into sharing your OTP or card details directly. Stay vigilant about phishing calls and messages regardless.