Help Center
Onboarding
Payment Gateway
Token Vault FAQs
CCard Tokenization replaces sensitive card details (number, expiry, CVV) with a secure, random token. This token is used for payments, keeping actual card data safe and reducing the risk of fraud.
The RBI guidelines on card tokenization are as follows,
- Payment aggregator, payment gateway or merchants cannot store card numbers on their servers even if they are PCI/DSS compliant
- Card networks and Issuing banks can only store card numbers and offer token provisioning services to other entities in payment industry
- The deadline for compliance of these guidelines is 31st of December 2021
A Token Vault securely stores card tokens, enabling customers to make quick, hassle-free payments with saved cards. We generate interoperable network tokens, meaning they can be used across multiple payment providers for seamless transactions. Click here to know more
Merchants are allowed to store only the last 4 digits of the actual card number, card scheme and issuing bank name. They cannot store other details like card bin, card expiry or CVV.
No, there is no impact as such on card payments where the customer enters the complete card number details. Only in those cases where merchants or PA/PGs were saving cards will be affected.
No, merchants will not be able to get the actual card number back from the tokenized cards. Only schemes and issuing banks will be able to do so.
No, explicit consent of customer is mandatory while provisioning token for the card.
If 2FA fails even after the customer had given consent to tokenize the card, merchants will not be able to provision token and save the card.
No, tokenization is limited only for card payments. All card payments like credit, debit, prepaid and corporate credit cards are impacted.
If you are a merchant who already PCI/DSS compliant, here is what you need to do to stay RBI compliant,
-
Merchants who were saving the card number on their own servers, will also have to either integrate with individual card schemes and become a token requestor themselves or integrate with Token Vault where Cashfree Payments will be a token requestor on merchant’s behalf.
-
PCI/DSS compliant merchants have to delete the already saved cards with them as RBI does not allow bulk tokenization of cards.
Yes, the token reference number of tokens provisioned through Cashfree will be saved with Cashfree only. However, merchants can fetch the card network tokens from Cashfree and use them for payment on any other PA/PG. It is not possible to migrate cards provisioned through Cashfree on another PG.
Was this page helpful?