Reserve Bank of India (RBI) issued a notification in September 2021. According to it, no entity in the card transaction or payment chain can store card data after June 30, 2022, other than card issuers and card networks. From June 30, 2022 onward, payment aggregators (such as Stripe) must use network tokens for payment processing instead of the actual credit or debit card number. The goal of this regulation is to prevent online fraud by keeping customers' critical financial information secure from card data breaches and restricting malicious actors from stealing funds from individuals and organizations.
What are network tokens?
Card networks such as Visa and Mastercard offer network tokens to replace the actual credit or debit card number for online payments. This reduces the risk of exposing sensitive card details, as only the card networks can retain this information.
What are the new guidelines?
The following guidelines are prescribed by the RBI:
Payment aggregators (such as Stripe) must use network tokens to refer to card details and process payments instead of the actual credit or debit card number.
Collect cardholder consent to store card details and use them for recurring payments.
Perform 3D Secure authentication and other RBI e-mandate-related requirements before saving card details.
Give customers an option to delete their token from the merchant platform.
What are the impacts of the regulation?
Gateways must work internally with card networks to tokenize card details and not store them on their end. Stripe has already started using network tokens. For more details, contact Stripe to check if your account is updated.
Success rates for recurring payments on India-issued cards may drop as banks may ask customers to re-enter their card details.
Who does the RBI tokenization regulation apply to?
Merchants with businesses based in India and customers paying with domestic cards must comply with the regulations. Merchants with businesses based outside India and customers paying with India-issued cards should also be prepared, as they may be affected.
What do you need to do to comply with this regulation?
You must get explicit consent from your customers before saving card details. If you are using Stripe, they obtain the required consent as part of the 3D Secure authentication process, so no separate action is required from your end.
Make sure you have the Pay Now link configured in all dunning and customer emails so customers can pay for their pending invoices as one-time payments if automated recurring payments fail.
If you are facing payment failures after the enforcement of this regulation, check with your respective payment gateways to improve the success rate.
Click here for more information about the RBI e-mandate regulation.