Tokenisation, and the day your card number stopped leaving its bank.
A reading of the RBI’s card-on-file tokenisation mandate, and the curious architecture of issuer-led tokenisation.
For most of the digital payment era, a card transaction in India worked the way it did everywhere else: the merchant stored the customer's card number, expiry, and a few related fields, and used them to charge subsequent transactions. The arrangement was convenient for recurring payments, for one-click checkouts, for subscriptions, and for the small army of food-delivery and streaming platforms that the country's middle class had developed a quiet addiction to. It was also, in security terms, a thirty-year-old idea wearing a suit.
In a series of circulars beginning in 2020 and culminating in the October 2022 mandate, the Reserve Bank of India prohibited merchants and payment aggregators from storing the actual card details of any cardholder. The mandate gave the industry a token-based alternative. The card issuer — the bank or the card network — would generate, on the customer's authorisation, a token: a string of digits that looked like a card number but was useful only on the specific merchant that had requested it. The merchant would store the token. The actual card number would never leave the issuer.
Issuer-led, by design
The architecture is what the industry calls issuer-led tokenisation, and it differs in design from the network-led tokenisation that prevails in much of the rest of the world. Under network-led tokenisation, the card network — Visa, Mastercard, RuPay — operates a token vault, and merchants tokenise directly with the network. Under issuer-led tokenisation, the issuing bank operates the vault, and the network simply transports the token. The Indian regime is hybrid in practice; the regulatory preference is for issuer-led.
The convenience of stored card numbers was, it turned out, a convenience built on the assumption that nobody was looking.
The transition was bumpy. The October 2022 mandate took effect after two postponements, and even then, several large merchants found their authentication flows broken for a few days. The customer's experience, where it worked, was largely unchanged: a saved card on a familiar platform continued to work, the card details displayed in the merchant's interface continued to show the last four digits, and the underlying check-out flow continued to require only a one-time password. What had changed, invisibly, was that the digits stored on the merchant's servers were no longer the customer's card number.
What it left behind
The longer consequence of the mandate is structural. A merchant that has been breached, in 2026, has nothing of cryptographic value to lose: the tokens in his database are useless to anyone except him. The customer's card number, in the meantime, sits where it always should have — at the issuer, in the vault, under the supervision of the regulator that authorised the issuer in the first place. It is the kind of architectural change that no individual customer notices, and that, over a few years, makes the difference between a card economy that recovers from breaches and one that does not.