In the summer of 2020, a data breach at an Indian payment aggregator exposed the card numbers, expiry dates, and CVVs of nearly 3.5 million customers. The stolen data surfaced on the dark web within days. For the Reserve Bank of India, this was the scenario it had been trying to prevent since at least January 2019, when it first introduced a tokenisation framework for card transactions. Two years and multiple deadline extensions later, the RBI would make one of its most consequential payment security decisions: no entity in the card transaction chain — not the merchant, not the payment gateway, not the aggregator — could store actual card data. Period.
That decision, and the regulatory architecture around digital wallets and domestic card networks that accompanied it, reshaped how 900 million Indian cardholders transact online.
Also in this series:
- Digital Payments & UPI: The Complete Timeline
- Payment Systems: NEFT, RTGS, and the PA/PG Framework
- Cyber Security & IT Framework
Why did the RBI ban merchants from storing card numbers?
The answer is disarmingly simple: because merchants kept getting hacked.
Every time a customer saved a card on an e-commerce platform for future purchases — so-called "Card-on-File" or CoF storage — the merchant held the actual card number, expiry date, and sometimes even the CVV. Multiply this across thousands of merchants and payment intermediaries, and the attack surface was enormous. As the RBI explained in its June 2022 press release:
"Currently, many entities, including merchants, involved in an online card transaction chain store card data like card number, expiry date, etc. [Card-on-File (CoF)] citing cardholder convenience and comfort for undertaking transactions in future. While this practice does render convenience, availability of card details with multiple entities increases the risk of card data being stolen/misused." (RBI Press Release, June 24, 2022)
The RBI's reasoning went further than domestic fraud. Because many foreign jurisdictions do not mandate Additional Factor of Authentication for card transactions, stolen Indian card data could be used for unauthorised purchases abroad — where no OTP or PIN would be required. That cross-border vulnerability made the Indian card ecosystem uniquely exposed.
How did tokenisation replace card storage?
Tokenisation works by replacing the actual card number with a unique surrogate value — a "token" — for each combination of card, token requestor (the merchant or app), and device. If a merchant's database is breached, the attacker gets tokens that are useless anywhere else.
The regulatory chain began on January 8, 2019, when the RBI issued the foundational Tokenisation – Card Transactions circular, permitting authorised card networks to offer tokenisation services. This first iteration was limited to mobile phones and tablets — why the restriction? Because NFC-based contactless payments on phones were the fastest-growing use case, and the RBI wanted to secure the channel with the highest momentum first.
By August 2021, the scope was extended to laptops, desktops, wearables, and IoT devices through Tokenisation – Card Transactions: Extending the Scope of Permitted Devices. A month later, the September 2021 circular opened up Card-on-File Tokenisation (CoFT) — allowing tokens to replace stored card numbers on merchant websites and apps.
Then came the enforcement hammer. On December 23, 2021, the RBI issued its Restriction on Storage of Actual Card Data, ordering all entities in the payment chain to purge stored card data by June 30, 2022.
Why was the deadline extended three times?
The original card storage ban was supposed to take effect on June 30, 2021. It did not. The RBI pushed it to December 31, 2021, then to June 30, 2022, and finally to October 1, 2022 — via the July 28, 2022 circular. Why three extensions?
Because tokenisation required rebuilding the plumbing. E-commerce companies, subscription services, and recurring payment platforms had all been built around stored card numbers. EMI options, chargeback handling, loyalty programmes, dispute resolution — all of these workflows assumed access to the actual card number. Replacing that with a token meant every downstream process had to be re-engineered.
"In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently use CoF data." (RBI Circular, December 23, 2021)
The extensions revealed a tension that runs through much of Indian payment regulation: the RBI sets aggressive security mandates, the industry requests more time, and the regulator balances systemic safety against operational disruption. By October 2022, the purge was final. In December 2023, the RBI went further with CoFT – Enabling Tokenisation through Card Issuing Banks, allowing banks themselves to act as token service providers — cutting card networks out of a step and giving issuers direct control over the tokenisation process.
What are Prepaid Payment Instruments, and why does the RBI tier them by KYC?
Prepaid Payment Instruments — digital wallets like Paytm Wallet, PhonePe Wallet, and Amazon Pay — are regulated under the Master Direction on Issuance and Operation of PPIs, first issued October 11, 2017 and updated through November 2020. The Master Direction replaced earlier piecemeal guidelines and consolidated everything: issuance, loading, redemption, closure, and the KYC requirements that determine what a wallet can do.
The tiering is driven by anti-money laundering logic. A limited-KYC wallet — where the holder provides only a mobile number and self-declaration — caps at Rs 10,000. A full-KYC wallet, verified against government-issued identity documents, permits balances up to Rs 2 lakh. Why the gap? Because higher balances create higher AML risk. A wallet holding Rs 2 lakh that can transfer money to any bank account is functionally a bank account; it demands the same identity verification a bank account requires.
The Rs 2 lakh ceiling was itself an increase. Until May 2021, full-KYC PPIs were capped at Rs 1 lakh. The RBI raised the limit through its May 19, 2021 circular — the same circular that mandated interoperability and permitted cash withdrawals from non-bank wallets.
Why did the RBI force wallets to become interoperable?
Before the interoperability mandate, digital wallets were walled gardens. Money loaded into a Paytm wallet stayed in the Paytm ecosystem. You could not send funds from Paytm to PhonePe, or from Amazon Pay to a bank account, without first withdrawing to your linked bank. This created precisely the kind of closed-loop trap that the RBI had been dismantling across the payment system since UPI launched in 2016.
The May 2021 interoperability circular made the mandate explicit: all full-KYC PPIs must be interoperable. Wallet-to-wallet transfers, wallet-to-merchant payments via UPI, and wallet-to-bank-account transfers all became mandatory capabilities. By December 2024, the RBI extended this further, issuing directions for UPI access for PPIs through third-party applications — meaning a wallet could be accessed through any UPI app, not just the issuer's own app.
Why does interoperability matter so much to the RBI? Because without it, customer funds are effectively locked. A wallet that cannot interoperate with the broader payment system is not a payment instrument — it is a gift card. The regulator's consistent position, across UPI, NEFT, and now PPIs, is that payment systems must be open networks. Closed ecosystems benefit the platform; open ones benefit the customer.
How does RuPay fit into the card ecosystem?
RuPay, India's domestic card network launched by the National Payments Corporation of India (NPCI), was not born from market demand. It was born from policy. The RBI and the Government of India promoted RuPay for three interconnected reasons: reducing dependence on Visa and Mastercard for domestic transactions, lowering interchange costs that merchants bear on every card payment, and enabling financial inclusion through the Pradhan Mantri Jan Dhan Yojana — under which every new bank account came bundled with a RuPay debit card.
The financial inclusion angle is the most consequential. By 2025, over 530 million Jan Dhan accounts had been opened, nearly all of them carrying RuPay cards. For millions of first-time banking customers in rural India, RuPay was the first card they ever held. Because RuPay's interchange fees are lower than Visa and Mastercard's — and because the government periodically waives merchant discount rates on small-value RuPay transactions — the economics work for small merchants who would otherwise refuse to accept cards.
The tokenisation framework applies equally to RuPay. NPCI, as an authorised card network, offers tokenisation services under the same January 2019 circular that governs Visa and Mastercard.
What changed with the 2025 authentication directions?
On September 25, 2025, the RBI issued the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, overhauling the two-factor authentication framework that had governed all digital payments since its inception. The existing system relied almost entirely on SMS-based OTPs — a mechanism that, while familiar, was vulnerable to SIM-swap fraud and phishing. The 2025 Directions introduced a risk-based approach: issuers could now adopt alternative authentication factors — biometrics, device binding, passkeys — based on the risk profile of the transaction.
"All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor." (RBI Authentication Directions, September 25, 2025)
For contactless transactions — tap-to-pay at physical terminals — the RBI maintained the Rs 5,000 limit for transactions without PIN authentication. Why this specific threshold? It represents the regulator's calibration of the convenience-versus-security tradeoff: below Rs 5,000, the speed of a contactless tap outweighs the fraud risk; above it, a PIN is required as a second factor. The Payment Aggregator guidelines work in parallel, ensuring that the entities processing these transactions are themselves regulated and audited.
The amendment chain at a glance
Card tokenisation and CoF storage:
1. Tokenisation – Card Transactions (January 8, 2019) — original framework, mobile/tablet only
2. Extending the Scope of Permitted Devices (August 25, 2021) — laptops, desktops, wearables, IoT
3. Permitting Card-on-File Tokenisation (CoFT) (September 7, 2021) — tokens replace stored card numbers at merchants
4. Restriction on Storage of Actual Card Data (December 23, 2021) — deadline set, then extended
5. Restriction on Storage — Final Deadline (July 28, 2022) — October 1, 2022 cutoff
6. CoFT through Card Issuing Banks (December 20, 2023) — banks as token service providers
PPI regulation:
1. Master Direction on PPIs (October 11, 2017, updated through November 2020) — consolidated issuance and operation rules
2. PPI Interoperability, Limit Increase, Cash Withdrawal (May 19, 2021) — full-KYC wallets made interoperable, ceiling raised to Rs 2 lakh
3. UPI Access for PPIs through Third-Party Apps (December 27, 2024) — wallets accessible via any UPI app
The November 2025 consolidation extended the digital banking channels framework across entity types, with separate directions for Commercial Banks (RBI_MD_13162), UCBs (RBI_MD_13034), RRBs (RBI_MD_13059), SFBs (RBI_MD_13135), Payments Banks (RBI_MD_13109), LABs (RBI_MD_13084), and Rural Co-operative Banks (RBI_MD_13008) — ensuring that the card, wallet, and tokenisation obligations apply uniformly regardless of the issuing entity type.
The through-line across both chains is the same: the RBI steadily eliminated the security shortcuts and closed ecosystems that digital payments had been built on, replacing them with open, tokenised, interoperable systems that protect the customer even when the merchant is compromised.
Last updated: April 2026