What is RBI tokenisation? Will your online shopping change?

With the world moving entirely to online sales and data hacks rising, RBI has come up with a tokenisation system. Here's what you should know about it.

 |  3-minute read |   21-12-2021
  • ---
    Total Shares

RBI has brought in new rules to do online transactions starting January 2022, which is expected to be a step towards reducing the impact of data hacks by companies. Instead of saving card details on the payment platforms like Amazon, customers will now have to create a token on each shopping portal (which once created will be saved for future use like saved cards), and use this token for every purchase thereafter. This was done to reduce the data available to hackers if the shopping portals were to face a data breach issue. But how did we reach here?  

Photo: Getty ImagesPhoto for representation: Getty Images


Take an (fictitious) example. Rajshekhar, a corporate employee of a Delhi-based company was aghast when he saw a barrage of messages in his inbox. His card had been swiped for a total of Rs 60,000 while he was busy at work and he had no clue about it because his card was in his wallet all along. He couldn’t believe his eyes when he read about the Domino's data breach in the news. He had just hosted a birthday party that weekend, and the pizza was ravished by all of his friends. Did someone get his account details by any chance?

Photo: Getty ImagesPhoto: Getty Images

His fears came true when he read about how the Dark Web sold this stolen data from data breaches for a cheap US $5 (that's less than Rs 400). Someone had used his card (before he could block it), changed the password, and accessed his account from another device. Now he couldn’t even access the app.

Photo: Getty ImagesPhoto: Getty Images


This problem is faced by millions in the world and has a multifold impact because data breaches like this feel scary. No one in their right mind would want their private data public and more instances like this will make people lose trust. Loss of trust means loss of online sales in a world where everyone is moving towards online sales. No one wins in the end. Sure, saving your card details on platforms are convenient for your sales; but when these platforms face data breach, the risk to customers and the companies is huge! They lose reputation and are required to face legal and financial repurcussions. Not to mention the threat of possible blackmail.

RBI, India's official money protector. Photo: Getty ImagesRBI, India's official money protector. Photo: Getty Images

So RBI, the official money protector of India, has come up with a new guideline where e-commerce companies will not save card details on their platform.


Till date, we all keyed in our card details on platforms and payment gateways (like Amazon) and then used it for our subsequent purchases because they were our "Saved Cards" and details of our card number, CVV and OTP were already saved.

Going forward, banking companies will use a 'tokenisation' system to make online payments where token numbers will be saved instead of card numbers.

Photo: Getty ImagesPhoto for representation: Getty Images

As per the system, payment gateways and platforms cannot save your card details any more. A unique token will be generated when you transact the first time, and this token will be saved on your shopping platform. Your unique token will be 'card-specific' and be relevant to one platform at a time. It will mask your card details and will also be available to specific devices that are selected by you. This saved token can be used for repeat payments.

So, users will have two modes of payment now:

  1. Before you buy an item, make a token and save it on the particular website for future use. Opt for tokenisation when you pay. 
  2. Or enter your card details every time you buy stuff off the internet.  


How Tokenization will work. Photo:Getty ImagesHow Tokenisation will work. Photo: Wikipedia

  1. You go on your merchant website (Domino's, for example) when you place your order and opt for tokenisation. Once you give consent for tokenisation, your merchant (Domino's) will forward the payment request to Visa or Mastercard (i.e., your card network). 
  2. A 16-digit token is generated by Visa or Mastercard (that resembles your card number) and sent back to Domino's, which will be saved for you on the Domino's portal by Domino's. Now, the next time you come back to shop, just select this saved token at the time of checkout, enter your OTP and CVV to approve, and complete your transaction.
  3. You will see the same masked card details and last four digits of your card number. You won't need to remember your token and your shopping experience won't change. Except, it will be a little safer. 

 Online transactions are changing. Photo: Getty ImagesOnline transactions are changing. Photo: Getty Images


A token number is unique for each website and will be available for a set device only. So, even if your friends know your token number, they need your device for the same. So that reduces the risk portion.


A person will have one token for one card, and a different one for each merchant. An ICICI card, for example, will have one token for Amazon purchases, another token for Myntra purchases and another for Flipkart.

If you have many cards, there will be a dashboard on the bank website to indicate the list of tokens and the respective merchants that use the same. You may delete the tokenised cards of websites you do not use frequently. If your card gets expired or replaced, you can visit the page of the merchant and create a fresh token for the new card.

Do you think this is safe enough?


Akshata Kamath Akshata Kamath @akshispublished

Akshata Kamath is a Digital Storyteller at DailyO. She loves to simplify Finance, Business, Healing and History.

Like DailyO Facebook page to know what's trending.