RBI Card Tokenisation Rules: What Users Must Know in 2026
Disclaimer: The information is shared in good faith and for general informational purposes only. Ujjivan SFB does not make any representations or warranties regarding the accuracy, completeness, or reliability of the content.
December 16, 2025
If you shop online, pay on apps, or keep your card “saved” on your favourite platforms, RBI’s card tokenisation rules are the reason your card experience looks different today than it did a few years ago. In simple terms, RBI pushed the system away from websites storing your real card number and towards a safer substitute called a token. That change is already in effect.
So why talk about this in 2026? Because tokenisation is only one part of safer card payments. The next big layer is how payments get authenticated (how the system confirms it’s really you), and RBI’s newer directions require the ecosystem to be compliant by April 1, 2026.
This guide explains what tokenisation is, what it changed for “saved cards,” what you can control as a user, and what to expect as authentication rules tighten in 2026.
Why do “saved cards” still feel confusing in 2026?
This is because the idea of a saved card stayed the same, but what information gets saved has changed.
Earlier, many apps and websites stored your card details (called “Card-on-File or CoF”). RBI’s direction was clear. Starting from October 1, 2022, no entity in the card payment chain other than card issuers and/or card networks should store Card-on-File data, and any previously stored data should be purged or removed.
That’s why, on many platforms, you had to “save” your card again, or re-confirm it. What you saved after that was usually a token of your actual card.
What is RBI's card tokenisation?
RBI’s card tokenisation means your actual card details are replaced with an alternate code called a token. That token is not random in a loose way. Token is a unique code generated from a combination of:
Think of it like this. You didn’t “save your card number” on a shopping app. You saved a safe substitute that works for that specific setup.
Is Card Tokenisation Compulsory for Users?
The Reserve Bank of India (RBI) has clearly stated that tokenisation is not mandatory for customers. And, customers will not incur any charges associated with the tokenisation process.
However, many platforms will strongly encourage tokenisation because it makes repeat payments smoother without storing your real card number.
Who Can Store What, and What Exactly Got Banned?
This is the heart of the RBI change. RBI’s directions around “Card-on-File” storage state that no entity in the card transaction/payment chain (other than the card issuer and/or card network) shall store CoF data, and any previously stored data should be purged.
RBI also clarified that for tracking/reconciliation, entities can store limited info like last four digits and the card issuer’s name.
So, when you see a saved card displayed as “XXXX-XXXX-XXXX-1234”, that’s the kind of limited reference that can exist without storing your full card details.
How Does RBI's Card Tokenisation Happen When You “save” a Card?
Card tokenisation typically happens when you tap “save card” or “securely save card” during checkout.
Tokenisation happens when the cardholder initiates a request on the token requester's app, and the request is forwarded to the card network (with issuer consent) to issue the token.
Another important part: registration for tokenisation must be done only with explicit customer consent, and it requires Additional Factor of Authentication (AFA) validation by the card issuer.
That’s why you may see an OTP prompt when saving a card—even if it feels like “I’m not paying yet.”
Why Do Users Still Get OTP Sometimes If the Card is Tokenised?
It is because card tokenisation and authentication are two different safety locks.
So tokenisation doesn’t mean “no OTP forever.” It mainly means “your card number is not sitting in merchant databases.”
Tokenisation vs Authentication
| Topic | What it does | What you’ll notice |
| Tokenisation | Replaces real card details with a token | “Saved card” still works, but your full card number isn’t stored with the merchant |
| Authentication (2026 focus) | Confirms it’s really you making the payment | OTP/PIN/biometric prompts may remain; risk checks may increase for unusual transactions |
What Happens When You Change Your Phone or Your Card Gets Replaced?
This is where tokenisation feels “annoying,” but it’s actually expected. RBI’s own framing explains tokenisation can be device-linked (card + token requestor + device). So a new device can mean you need to tokenise again.
Also, RBI’s CoFT circular notes that when a card is renewed or replaced, the issuer should seek explicit consent for linking it with merchants where the card was earlier registered. So if a platform asks you to re-confirm a saved card after a card reissue, that’s consistent with how RBI designed the flow.
Which Myths Should Users Stop Believing?
Myth 1: “Tokenisation means no OTP”
Not true. Tokenisation reduces where your card number is stored; authentication still protects the approval step
Myth 2: “Merchants still have my full card number anyway”
RBI requires that merchants/PAs should not store actual CoF data (other than issuer/network)
Myth 3: “One saved card works everywhere the same way”
Tokens are issued in a specific context (card + token requestor + device, and for CoFT also merchant combinations)
Final Thoughts
RBI's card Tokenisation quietly changed the back-end of card payments. Your “saved card” is now usually a token, not your real card number sitting on a merchant server, and RBI expects non-issuer/non-network entities to stay away from storing actual card data.
What 2026 new guidelines adds is a stronger push on authentication. The ecosystem must be compliant by April 1, 2026, and you should expect verification to remain a real part of online payments, especially when a transaction looks unusual.
Disclaimer:
The contents herein are only for informational purposes and generic in nature. The content does not amount to an offer, invitation or solicitation of any kind to buy or sell, and are not intended to create any legal rights or obligations. This information is subject to updation, completion, amendment and verification without notice. The contents herein are also subject to other product-specific terms and conditions, as well as any applicable third-party terms and conditions, for which Ujjivan Small Finance Bank assumes no responsibility or liability.
Nothing contained herein is intended to constitute financial, investment, legal, tax, or any other professional advice or opinion. Please obtain professional advice before making investment or any other decisions. Any investment decisions that may be made by the you shall be at your own sole discretion, independent analysis and evaluation of the risks involved. The use of any information set out in this document is entirely at the user’s own risk. Ujjivan Small Finance Bank Limited makes no representation or warranty, express or implied, as to the accuracy and completeness for any information herein. The Bank disclaims any and all liability for any loss or damage (direct, indirect, consequential, or otherwise) incurred by you due to use of or due to investment, product application decisions made by you on the basis of the contents herein. While the information is prepared in good faith from sources deemed reliable (including public sources), the Bank disclaims any liability with respect to accuracy of information or any error or omission or any loss or damage incurred by anyone in reliance on the contents herein, in any manner whatsoever.
To know more about Ujjivan Small Finance Bank Products Visit:"https://www.ujjivansfb.bank.in"
All intellectual property rights, including copyrights, trademarks, and other proprietary rights, pertaining to the content and materials displayed herein, belong
to Ujjivan Small Finance Bank Limited or its licensors. Unauthorised use or misuse of any intellectual property, or other content displayed herein is strictly prohibited and the same is not intended for distribution to, or use by, any person in any jurisdiction where such distribution or use would (by reason of that person’s nationality, residence or otherwise) be contrary to law or registration or would subject Ujjivan Small Finance Bank Limited or its affiliates to any licensing or registration requirements.
