The TLDR: Starting January 1, you will have to manually enter your card details at every place you shop online—delivery apps included. And you may have to do it repeatedly with a number of merchants if they are not ready for a brand new set of Reserve Bank of India rules—which dictate that companies can no longer store your card data. So get ready for some chaos come New Year’s Day.
Say hello to tokenization
The RBI rules basically state that no one can capture or store your card details except your banks and payment providers like Visa etc. And it has made a new system called ‘tokenization’ mandatory starting January 1.
How it works now: This is what happens when you go online to buy something.
- You enter your card details, the website captures your data.
- Then the company’s payment gateway (Razorpay, eg) initiates a transaction by sending those details to your payment provider—Visa, Mastercard, Rupay etc.
- Visa et al send those details to your issuing bank or company—which approves the payment.
- So all these companies have your information—and can save it for future or repeat transactions.
Enter tokenization: This merely means that your card details are replaced by a token number. This number is unique to the card you are using and who you are buying from. Next time, if you use a different card—or use the same card to buy from a different merchant—a new token number will be required.
How it will work from January 1: Merchants and payment gateways have to purge all customer card data from their records by that date. So when you go online, you will ideally do the following (with the emphasis on ‘ideally’):
- Once you hit ‘buy’, the company will ask for your consent to tokenize your card details.
- After you give your consent, the company—or its payment gateway—will send a request to your card company.
- The card company will send a token number—instead of your card number—to the merchant.
- You approve the transaction with a CVV and OTP number.
- The company will save the token number—not your card number—for future transactions.
- Rinse and repeat for every card you use and every online site/app you shop from.
Point to note: Tokenization is already in place for UPI payments. And net banking will work seamlessly as well. This only affects transactions where you use your cards.
And we are doing this because…
The RBI is concerned about the security of your card data—which is shared and stored across multiple websites when you shop online:
“Many entities involved in the card payment transaction chain store actual card details. In fact, some merchants force their customers to store card details. Availability of such details with a large number of merchants substantially increases the risk of card data being stolen. In the recent past, there were incidents where card data stored by some merchants have been compromised/leaked.”
For the promise of far greater security, you have to put up with the one-time hassle of manually entering your details when you shop from a specific company.
As for the online retailers: Supporters of tokenization argue it only requires a technological upgrade to get themselves ready to accept such payments. Also: They no longer have to worry about being hacked. And these merchants are moving to a far superior system currently used by the likes of ApplePay and SamsungPay—which offer frictionless shopping—and enable tools like one-click purchase on Amazon.
Ok, what’s the problem?

|