Accordion Content

Are the customer card details safe after tokenisation?

Ans. Actual card data, token and other relevant details are stored in a secure mode by the token service provider (card payment network or card issuer). Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards.

Who can perform tokenisation and de-tokenisation?

Ans. Tokenisation and de-tokenisation can be performed by the authorised card network or by the card issuer. The list of card networks authorised by RBI to operate in India is available on the RBI website at the link

How does the process of registration for a tokenisation request work?

Ans. The registration for a tokenisation request is done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced / default / automatic selection of check box, radio button, etc. Customer will also be given choice of selecting the use case and setting-up of limits.

Whom shall the customer contact in case of any issues with his / her tokenised card? Where and how can he / she report loss of device?

Ans. All complaints should be made to the card issuers. Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage.

Accordion Content

Additional Factor of Authentication (AFA) during e-mandate registration, modification and revocation, as well as for the first transaction extended to recurring payments on UPI

Accordion Content

Context: The RBI felt that consumers should have greater agency and visibility into their e-mandates, and thus introduced AFA requirements for each charge in high-ticket billing cycles and stipulated pre-debit notification requirements for all e-mandates. 

The new e-mandate management framework requires that a separate payment flow be instituted for e-mandates above INR 2,000, whereunder the customer manually authenticates each payment in the recurring billing cycle. For payments below INR 2,000, the framework requires customers to be given a pre-notification along with an option to cancel the billing cycle before each payment. 

This circular is applicable for transactions performed using all types of cards – debit, credit and Prepaid Payment Instruments (PPIs), including wallets.

Accordion Content

The framework enables the RBI to recognise SROs comprising of fintech entities which may or may not be regulated by Indian financial sector regulators. Entities such as lending service providers, PA/PGs, PPI issuers and insurtechs are expected to be a part of the fintech SRO. 

Fintech SROs will develop industry best practices, ensure compliance with statutory and regulatory frameworks, and supplement the RBI’s surveillance and monitoring objectives.

The SRO framework details conditions relating to eligibility of members, functions and responsibility of the SRO as well as matters relating to its governance and management.  

Accordion Content

The framework builds on the recommendations of RBI’s working group on Fin Tech and Digital Banking. The regulatory sandbox shall enable the testing of new products or services in a controlled environment with certain relaxations on regulatory requirements. 

The framework aims to establish a transparent process for green-lighting innovative products and services on themes such as retail payments, digital KYC, RegTech and SupTech among others. Products and services surrounding credit registries and crypto-asset markets are excluded from the ambit of the regulatory sandbox. 

The RBI will select entities to the regulatory sandbox based on stipulated ‘fit and proper’ criteria, and will oversee the product development in a structured manner within stipulated ‘boundary conditions’ such as: start and end date of the testing, target consumers or merchants, and transaction ceilings.

Accordion Content

UPI product-line expansion 

Proposal to expand scope by enabling transfer to / from pre-sanctioned credit lines at banks, in addition to deposit accounts. “In other words, UPI network will facilitate payments financed by credit from banks. This can reduce the cost of such offerings and help in development of unique products for Indian markets.”

Enhancing efficiency of regulatory processes

Decision to develop a secured web based centralised portal named as ‘PRAVAAH’ (Platform for Regulatory Application, Validation And AutHorisation) to simplify and reduce cost of compliance and streamline the application and approval process for financial sector entities.  

Accordion Content

RBI’s Payments Vision 2025 looks to provide every user with “Safe, Secure, Fast, Convenient, Accessible, and Affordable e-payment options”. To this end, RBI prioritises the following.

  1. Integrity – through robust authentication mechanisms, and greater scalability of payment systems.
  2. Inclusion – through consumer awareness campaigns and checks on monopolistic behaviour by BigTech firms.
  3. Innovation – through regulations on BNPL products and interoperability across payment modes.
  4. Institutionalisation – through a review of domestic legal frameworks and engagement with international standard setting bodies on digital payment technologies. 
  5. Internationalisation – through internationalisation of domestic payment rails such as UPI and domestic financial messaging systems such as inFiNet.
Accordion Content

Desision to issue draft directions on: (i) Reserve Bank of India (IT Outsourcing) Directions, 2022; and (ii) Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2022, under a public consultation process to ensure that aspects such as risk management framework for IT outsourcing, managing concentration risk, periodic risk assessment and outsourcing to foreign service providers are subject to suitable regulatory guidelines.

Accordion Content

Online dispute resolution:

Requirement on authorised PSOs to implement ODR systems for failed transactions in their respective Payment Systems. Based on the experience gained, ODR arrangements will be extended to other types of disputes and grievances.

Encouraging responsible innovation:

RBI will set up an Innovation Hub in India (Reserve Bank Innovation Hub – RBIH). RBIH will act as a centre for ideation and incubation of new capabilities which can be leveraged to create innovative and viable financial products and / or services to help achieve the wider objectives of deepening financial inclusion, efficient banking services, business continuity in times of emergency, strengthening consumer protection, etc. The Innovation Hub will support, promote and hand-hold cross-thinking spanning regulatory remits and national boundaries.

Accordion Content


PGs provide technology infrastructure to route and / or facilitate processing of an online payment transaction and perform other functions without actually handling the funds.

PAs facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations to the merchants without the need for merchants to create a separate payment integration system of their own. They facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time-lag. Apart from handling funds, they also get access to customer data.

Key concerns

  1. PAs and PGs may be a source of risk in such a technology and customer experience intensive business if they have inadequate governance practices which may impact customer confidence and experience.
  2. Leveraging their market presence, some of the e-commerce market places also offer payment aggregation services. The primary business of these e-commerce marketplaces does not come within the regulatory ambit of RBI and in case of regulatory prescriptions for payment Aggregators, they would end up being subjected to dual regulation. Hence, a separation of these two activities would entail a better regulatory approach / process.
  3. There is need for appropriate delineation of roles and responsibilities among merchants and customers, clarity in case of routing of transactions through proper reporting of transactions handled, etc. Being part of the payments process chain these entities also handle sensitive customer data. Managing customer data, data privacy, Know Your Customer (KYC) requirements of merchants are also important from the point of view of security and customer confidence in the ecosystem.
Accordion Content

Additional Factor of Authentication (AFA) limit extended from INR 2,000 to INR 5,000.

Processing of recurring transactions (domestic or cross-border) using cards / PPIs / UPI under arrangements / practices not compliant with the aforesaid instructions shall not be continued beyond March 31, 2021.

Accordion Content

1.1.1. PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.

1.1.2. PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

Authorisation: The criteria of authorisation has been arrived at based on the role of the intermediary in handling of funds.

PAs are subject to capital requirements, requirements to mandatorily set up escrow accounts, grievance redressal mechanisms and risk management frameworks. The baseline technology-related recommendations for adoption are mandatory for PAs and recommendatory for PGs.

Accordion Content

RBI issued clarifications on themes such as applicability, governance, KYC and merchant on-baording, operation of settlement and escrow accounts etc.

Accordion Content

(living document)

Accordion Content

Who are the issuers of PPIs?

Ans. PPIs can be issued by banks and non-banks. Banks can issue PPIs after obtaining approval from RBI. The non-bank PPI issuers are companies incorporated in India and registered under the Companies Act, 1956 / 2013. They can operate a payment system for issuing PPIs to individuals / organisations after receiving authorisation from RBI.

How can PPIs be loaded?

Ans. PPIs can be loaded / reloaded by cash (not permitted in one type of Small PPI), debit to a bank account, credit and debit cards, PPIs (as permitted from time to time) and other payment instruments issued by entities regulated in India and in Indian Rupees (INR) only.

What are the other types of PPIs apart from the Small PPIs and Full-KYC PPIs mentioned above?

Ans. Apart from above PPIs, there are the following two categories of PPIs: Gift PPIs; and PPIs for Mass Transit Systems (PPI-MTS).

What are the disclosures to be made by the PPI issuer at the time of issuance?

Ans. PPI issuers shall disclose all important terms and conditions in clear and simple language to the holders while issuing the instruments. These disclosures shall include: All charges and fees associated with the use of the instrument; and The expiry period and terms and conditions pertaining to expiration of the instrument.

Accordion Content

Closed System PPIs: Issued by an entity for facilitating purchase of goods and services from that entity only and do not permit cash withdrawal. These are not subject to any RBI authorisation or supervision.

PPIs that require RBI approval / authorisation prior to issuance are classified under the following two types:

  1. Small PPIs: These can be issued by banks and non-banks after obtaining minimum details of the PPI holder. They can be used only for purchase of goods and services. Funds transfer or cash withdrawal from such PPIs is not permitted.
  1. Full-KYC PPIs: These can be issued by banks and non-banks after completing Know Your Customer (“KYC”) of the PPI holder; and can be used for purchase of goods and services, funds transfer or cash withdrawal.

Interoperability: It shall be mandatory for PPI issuer to give the holders of full-KYC PPIs (KYC-compliant PPIs) interoperability through authorised card networks (for PPIs in the form of cards) and UPI (for PPIs in the form of wallets). Interoperability shall be mandatory on the acceptance side as well. QR codes in all modes shall be interoperable by March 31, 2022 vide RBI circular DPSS.CO.PD.No.497/02.14.003/2020-21 dated October 22, 2020. Further, card networks are allowed to onboard PPI issuer to join their network. Non-bank PPI issuer is permitted to participate as member / associate member of authorised card networks.

Accordion Content

Living document listing out PAs with in-principle authorisation, and PAs whose applications were returned / withdrawn / refused.

Accordion Content

On a review of the issues involved and after detailed discussions thereon with all stakeholders, as also keeping in view that sufficient time has elapsed since the requirements were specified, the following are advised –

a) There shall be no change in the effective date of implementation of the requirements – all entities, except card issuers and card networks, shall purge the CoF data before October 1, 2022.

b) For ease of transition to an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”), the following are being permitted as an interim measure –

Other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in settlement of such transactions, can save the CoF data for a maximum period of T+4 days (“T” being the transaction date) or till the settlement date, whichever is earlier. This data shall be used only for settlement of such transactions, and must be purged thereafter.

For handling other post-transaction activities, acquiring banks can continue to store CoF data until January 31, 2023.

Accordion Content

Second extention of the timeline for purging CoFT data by Merchants and PA/PGs — till September 30, 2022

On a review of the issues involved and after detailed discussions with all stakeholders, RBI observed that: 

(i) considerable progress has been made in terms of token creation. 

(ii) Transaction processing based on tokens has also commenced, though it is yet to gain traction across all categories of merchants. 

(iii) An alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”) has not been implemented by the industry stakeholders, so far.

Accordion Content

First extention of the timeline for purging CoFT data by Merchants and PA/PGs — till June 30, 2022 — to allow more time to the industry stakeholders for devising alternate mechanism(s) to handle any use case or post-transaction activity. 

In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks.

Accordion Content

Context: In its 2019 vision document, the RBI highlighted the need for improved security in card-not-present (CNP) transactions through secure tokenisation solutions, whereunder card details are masked in the form of unique tokens. 

Thereafter, a slew of highly-publicised instances of card data leaks from merchants’ servers prompted the RBI to issue directions on the way sensitive card information of customers could be stored. The RBI’s intended objective was to reduce the number of instances where sensitive card information was stored to reduce security vulnerabilities in the card payments ecosystem. 

  1. Permit card issuers (apart from card networks) to offer card tokenisation services as Token Service Providers (TSPs). i.e., the entity which tokenises the actual card credentials and de-tokenises them whenever required. For the purpose of CoFT, the token shall be unique for a combination of card, token requestor and merchant (the term ‘merchant’ refers to the end-merchant or an e-commerce marketplace entity). Further, token requestor and merchant may or may not be the same entity.
  2. With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
  3. Card issuers to allow cardholders to view the list of merchants in respect of whom the CoFT has been opted by her / him, and to de-register any such token. This facility shall be provided through one or more of the following channels – mobile application, internet banking, Interactive Voice Response (IVR) or at branches / offices.
Accordion Content

Keeping in view the requests of some stakeholders and to prevent any inconvenience to customers, it has been decided, as a one-time measure, to extend the timeline for ensuring full compliance to the framework till September 30, 2021. During the extended timeline, no new mandate for recurring online transactions shall be registered by stakeholders, unless such mandates are compliant with the framework.

Accordion Content


The Merchant Payments Alliance of India (MPAI) is a group of like-minded merchants accepting digital payments in an ever-growing payments market in India.