Last Updated: December 17,2021
Reserve Bank of India (RBI) has issued a notification in September 2021. According to it, no entity in the card transaction or payment chain can store data from January 01, 2022, other than the card issuers and card networks. From January 01, 2022 onwards, payment aggregators (such as Stripe) have to use network tokens for payment processing instead of the actual credit or debit card number. The goal of this regulation is to prevent online fraud by securing critical financial customers' information from card data breaches and restricting malicious actors from stealing funds of individuals and organizations.
Card networks such as Visa or Mastercard offer network tokens to replace the actual credit or debit card number for online payments. It reduces the risk of exposing sensitive card details such as card numbers or CVV while only the card networks can retain this information.
Merchants having business based in India with customers paying with domestic cards will be affected by this change. Tokenization of card information is required for transactions processed by an India-licensed service provider and paid through a card issued in India.
Tokenization of card information is not required if you, your connected accounts, or platforms that are outside India are not registered in India and not supported by Stripe India.
The following are guidelines mentioned by the RBI.
The following are actions taken by Chargebee to implement these regulations.
If you are using Chargebee APIs for payment, please ensure that the checkout flow allows customers to opt-in or opt-out for saving their card details. This allows the gateway to securely save the card information as a unique token.