Credit Card Tokenization Explained: RBI’s 2022 Rules + Why You Keep Re-Saving Your Card
In short: Since 1 October 2022, RBI rules forbid merchants and payment aggregators (Amazon, Flipkart, Swiggy, etc.) from storing your actual credit card number (PAN), CVV, or expiry. Instead, they store a token — a unique 16-digit identifier issued by Visa / Mastercard / RuPay / Amex that maps back to your card only on their secure servers. Each merchant gets a different token for the same card. This is why every major Indian merchant asked you to “re-save your card” in late 2022, and why a card replacement now silently invalidates your saved-cards on every merchant. The framework dramatically reduces fraud — even if a merchant's database is leaked, the leaked tokens are useless elsewhere — but it created new operational quirks that this guide explains.
What Actually Changed in October 2022
Before October 2022, every Indian merchant could store your full 16-digit card number, expiry, and (in some cases) CVV on their servers. When you came back to Amazon to buy something, your card auto-filled. Convenient — but every merchant's database was a fat fraud target.
The 2019–2020 wave of database leaks (Mobikwik, Domino's India, JusPay, and several others) leaked tens of millions of card-on-file records. RBI's response, after multiple deferrals, was the Card-on-File Tokenization (CoFT) framework, enforced from 1 October 2022.
Under CoFT, merchants and payment aggregators are prohibited from storing:
- Card number (PAN)
- CVV
- Card expiry
- Cardholder name (in some interpretations; this is uneven across merchants)
Instead, they store a token — a 16-digit string that looks like a card number but is generated by the card network (Visa / Mastercard / RuPay / Amex) for that specific merchant. The token has no value outside the merchant who holds it.
How Tokenization Actually Works (Step by Step)
- You make a purchase at, say, Amazon.in for the first time after Oct 2022. Amazon's checkout page now asks you to “save card for future use” with a checkbox. If you tick it, Amazon initiates a tokenization request to your card network (Visa / Mastercard).
- Card network creates a unique token. Visa generates a 16-digit token specifically for the combination [your card + Amazon]. This token is sent to Amazon. The mapping [token ↔ your real card] is stored only on Visa's secure servers and your issuing bank's servers.
- You authenticate via OTP. Your bank sends an OTP. Entering it confirms you authorise Amazon to receive a token mapped to your card.
- Amazon stores the token (not your card number). Their database now has only the token + masked last-4 digits for display.
- Next purchase: Amazon sends the token (not your card number) to the payment network. Network looks up which actual card it maps to, routes the transaction to your bank, gets approval, and completes the purchase. From your perspective, it feels identical to before — but the underlying data flow is fundamentally different.
Why Tokens Are Merchant-Specific (And Why You Keep “Re-Saving”)
This is the most-misunderstood part. The token generated for your card at Amazon is different from the token generated for the same card at Flipkart. If Amazon's servers were leaked tomorrow, the leaked tokens would be useless at Flipkart, Swiggy, or anywhere else.
The practical consequence: when you get a replacement card (lost, expired, upgrade), your card number changes. The bank issues new tokens to replace the old ones, but only for active merchants where you have provided new authentication. Old tokens at merchants you have not visited recently silently invalidate. You have to “re-save” your card at each merchant the next time you transact there.
This is also why migrating from a Regalia to a Diners Black, or from an Axis Magnus to Atlas, requires re-tokenizing across every merchant — there is no “transfer” of tokens.
Why this is actually good for you: A token leak at a single merchant exposes only your token-at-that-merchant. Your card itself remains safe. Pre-2022, a single Mobikwik-scale leak would have exposed your card across the internet. Now, your card's fraud surface is segmented by merchant.
Visualizing the Difference
| What merchant sees / stores | Pre-Oct 2022 | Post-Oct 2022 (Tokenized) |
|---|---|---|
| Card number | 4111-2222-3333-4444 (full) | Token: 4900-XXXX-XXXX-7890 (merchant-specific, useless elsewhere) |
| CVV | 123 | Not stored — requested fresh OR omitted via tokenized flow |
| Expiry | 12/27 | Not stored — included in token |
| Cardholder name | ARUN P SINGH | Stored only for display |
| If breached | Card usable anywhere on internet | Token usable only at this specific merchant; merchant detects + revokes |
Where You See Tokenization in Action
- E-commerce checkout: Amazon, Flipkart, Myntra, BigBasket, etc. — your saved card now shows as “**1234” with no expiry/CVV fields auto-filled.
- Food delivery / cab apps: Swiggy, Zomato, Uber, Ola — tokenized for in-app payments.
- Subscriptions: Netflix, Hotstar, Spotify, JioSaavn — recurring debit flows use tokens (combined with the AFA framework for amount-based authentication).
- Bill aggregators: CRED, Paytm Bill Payments, PhonePe Pay — tokenize cards added for bill payment.
- Payment gateways for SMEs: Razorpay, Cashfree, Instamojo — tokenize behind the scenes when their merchants offer “save card” functionality.
If you tap “save card” anywhere and complete the OTP step, you have created a token.
Annual Re-Authentication on Some Tokens
The RBI framework does not mandate annual re-authentication, but some issuing banks (HDFC notably) implement an internal annual re-validation of tokens. You will be asked to re-authenticate the saved card at a particular merchant once per year via OTP. This is a bank-level policy, not an RBI rule.
Tokens are also automatically invalidated when:
- The card is replaced (new card number)
- The card is closed or blocked
- The card expires (and the token expiry is not renewed)
- You explicitly delete the saved card on the merchant's app
Tokens and International Transactions
Initially in 2022, tokens were valid only for domestic transactions. RBI expanded the framework progressively, and by 2024 most international merchants (Amazon US, Apple, Google, AWS) accept tokens for stored-card flows. However, two caveats remain:
- Some smaller international merchants do not yet integrate with Indian token vaults. They still require full card details — typed manually, not stored — for each transaction.
- 3D Secure / AFA layer on international transactions is separate from tokenization. You may still see an OTP for first-time international purchases even with a saved tokenized card.
See our auto-debit and AFA guide for how the recurring-debit framework interacts with tokens on international subscriptions.
When Tokenized Saved Cards Fail (And the Fix)
Failure: “Card has been updated; please re-save”
Most common message after a card replacement. Fix: re-enter your card details on the merchant's saved-cards section and complete the OTP. Token is recreated.
Failure: Annual re-validation lapsed
Bank's internal annual review revoked the token because you did not transact at this merchant for >12 months. Fix: same as above — re-enter and re-authenticate.
Failure: Card declined despite token valid
Token is fine but bank declined for another reason (insufficient limit, fraud rule, AFA threshold for amount). Check your card limit and recent transactions.
Failure: Saved card disappears entirely from merchant
Some merchants periodically purge inactive tokens. The card is simply no longer in your saved-cards list. Re-save when you next transact.
Managing Your Tokens Across Merchants
Unfortunately, there is no centralised “see all tokens for my card” dashboard — each merchant manages tokens independently. To delete a token:
- At the merchant: Account settings → Saved cards → Delete. Removes the token from the merchant's record.
- At the bank: Some banks (HDFC, ICICI) let you view “Merchants with saved card details” in the card app. You can revoke tokens individually.
- Replace the card: If you suspect token compromise at a merchant, request a card replacement. New card number means new tokens needed across all merchants — effectively a nuclear reset.
Pro tip: Once a year, audit your saved-card list at top-5 merchants (Amazon, Flipkart, Swiggy/Zomato, Uber/Ola, Netflix). Delete tokens at merchants you no longer use. Reduces your fraud surface area for free.
Benefits and Residual Risks
What tokenization solved
- Single merchant breach no longer compromises card across entire internet
- Lost / stolen merchant credentials cannot be used to make charges on other sites
- Reduced “fraud-by-data-leak” attacks dramatically
What tokenization did NOT solve
- Phishing — if you give your card number to a scam site, tokenization does not help
- SIM swap fraud + OTP interception — first-time token creation needs OTP, so a SIM-swap attacker could still create a fraudulent token
- Compromised merchant could still process token transactions until the merchant itself detects + revokes
- Account takeover at the merchant (e.g., hacker logs into your Amazon and uses your saved card to buy items) — token still works for the legitimate cardholder's account
For full fraud-response protocol when something goes wrong, see our credit card fraud guide.
Frequently Asked Questions
Is tokenization the same as virtual cards?
No — different things. A virtual card is a separate card number (with its own CVV/expiry) issued by your bank that links to your primary account. A token is created by the card network for a specific merchant relationship. Some neo-banks (HDFC NetSafe, ICICI Pockets, OneCard) offer “virtual cards on demand” for one-time transactions; this is different from CoFT tokenization.
Can I see my actual card number on a merchant that has tokenized it?
No. The merchant sees only the masked last 4 digits and the token. Full card number is shown only on your physical/digital card from your bank.
Does tokenization apply to debit cards too?
Yes. The CoFT framework applies to credit cards, debit cards, and prepaid cards uniformly.
Why was Amazon showing my old card number even after I got a replacement?
Old tokens have a grace period before invalidation. Your old card's token at Amazon may still display for some weeks. Eventually, it stops working — at which point you re-save with the new card.
If I lose my phone, are my tokens compromised?
No directly. Tokens are tied to your card + merchant, not your phone. However, if your bank-app login on the phone is unprotected, the attacker could initiate token creation requests. Always use device passcode + biometric on bank apps.
Can my tokens be transferred to a new card I get from the same bank?
Not automatically. The new card has a different card number, which means new tokens. You have to re-save on each merchant. Inconvenient but necessary for the security model.
Sources
- RBI Card-on-File Tokenisation (CoFT) framework — original guidelines dated 7 September 2021
- RBI deferrals notifications dated 23 December 2021 and 8 July 2022
- RBI Master Direction on Credit Card and Debit Card – Issuance and Conduct Directions
- Visa, Mastercard, RuPay tokenization architecture documentation
- Bank-specific token management interfaces (HDFC, ICICI, SBI Card, Axis)
