Getting Started

Product Catalog

Customers

Subscriptions

Invoices, Credit Notes, and Quotes

Taxes

Payments

Site Configuration

Data Privacy & Security

Data Operations

Reports and Analytics

Integrations

RBI Tokenization Regulations 

Last Updated: December 17,2021

Reserve Bank of India (RBI) has issued a notification in September 2021. According to it, no entity in the card transaction or payment chain can store data from January 01, 2022, other than the card issuers and card networks. From January 01, 2022 onwards, payment aggregators (such as Stripe) have to use network tokens for payment processing instead of the actual credit or debit card number. The goal of this regulation is to prevent online fraud by securing critical financial customers' information from card data breaches and restricting malicious actors from stealing funds of individuals and organizations.

What are Network Tokens? 

Card networks such as Visa or Mastercard offer network tokens to replace the actual credit or debit card number for online payments. It reduces the risk of exposing sensitive card details such as card numbers or CVV while only the card networks can retain this information.

Who will be affected by the RBI tokenization regulation? 

Merchants having business based in India with customers paying with domestic cards will be affected by this change. Tokenization of card information is required for transactions processed by an India-licensed service provider and paid through a card issued in India.

Tokenization of card information is not required if you, your connected accounts, or platforms that are outside India are not registered in India and not supported by Stripe India.

What are the new guidelines? 

The following are guidelines mentioned by the RBI.

  • Collect cardholder consent to save a new card: Get consent from your customers to store and use tokens for Indian cards. Update your service terms with your customers to capture this consent.
  • Perform 3D Secure authentication before saving the card: Authenticate cards via 3DS before saving card details for future use. During payment, 3DS authentication saves the card information automatically.

What Chargebee is doing to implement these regulations? 

The following are actions taken by Chargebee to implement these regulations.

  • Chargebee displays consent banner where you need to add or edit card details for all 3DS enabled payments such as Checkout Page, Checkout Portal, PayNow, and Update Payment Method Link sent to the merchants.
  • Chargebee has communicated to the merchants to ensure that the 3DS authentication is enabled in Chargebee for their configured Stripe account for the recent RBI e-mandate  regulations.
Note

If you are using Chargebee APIs  for payment, please ensure that the checkout flow allows customers to opt-in or opt-out for saving their card details. This allows the gateway to securely save the card information as a unique token.

Was this article helpful?
Loading…