Background on Indian government regulations affecting card payments

Last updated: 27 June 2022

Recent changes to regulations from the Reserve Bank of India (RBI) impact your ability to accept payments seamlessly from India issued cards. More friction was introduced to payment flows which required card networks and issuing banks to overhaul their existing systems and infrastructure. While the industry has been adapting to these changes, some types of payments, like recurring payments, will permanently see higher rates of payment failures moving forward due to additional authorization requirements.

The best solution for Stripe users is to follow our impact assessment guide and prepare for these changes if required. Our guides for Stripe Billing users and direct payments users explain how to update your integration to comply with this regulation.

E-mandates for recurring payments

As of October 1, 2021, a holder of an India issued card needs to authorize merchants to deduct recurring charges through an e-mandate captured by the issuing bank. The cardholder should also be notified by the card issuer at least 24 hours before any charge is processed. Where the recurring charge is greater than 15,000 INR (~190 USD), the cardholder needs to authorize each additional payment individually. Cardholders can also easily revoke an e-mandate and choose to stop recurring payments to a business at any time through their bank.

These changes are about giving more control to cardholders, but also introduce significant friction to recurring payment flows that will result in more recurring payments being declined by issuing banks.  

Users will continue to experience a higher failure rate than pre-Oct 1 for several months. Success rates may never go back to pre-Oct 1 levels due to additional 2FA for > INR 15,000 transactions.

What should you do?

Using Stripe's solutions to comply with recurring payments regulation is the best way to prepare your business for these changes. Read our dedicated support article on this topic, and follow our guides for Stripe Billing users and direct payments users for more specific guidance.

Tokenization for card transactions

From 1 October 2022, only card issuers and card networks are permitted to store the card data of an India-issued card for transactions processed through payment service providers licensed by the RBI. The RBI requires payment aggregators (like Stripe India) to use network tokens for payment processing instead of the actual credit/debit card number.

These regulations mainly affect businesses based in India. Card networks have launched card-on-file (CoF) tokenization services to comply with these requirements.

Stripe has launched a solution to use network tokens for card payments from India-issued cards.

What should you do?

If you are a Stripe user based in India, you should:

  1. Plan to stop storing both credit and debit card data of India-issued cards on your own servers by 30 September 2022.

  2. Get consent from your customers to store and use network tokens for India-issued cards – you may need to update your terms of service with your customers to capture this consent.

For getting consent from your customers, if you don’t want to build your own consent flow, Stripe is launching Stripe Managed Tokenization Consent to automatically collect consent on behalf of your customers. Please see Guide for Indian government regulations on network tokenization for more details.

Use Stripe as your card vault – through our beta solution, we are well placed to offer a compliant solution, together with the card networks, to tokenize cards and use these tokens for payment processing. We will cover both one-off payments using saved card information as well as recurring payments.

As we're testing and scaling our solution with the card networks, we will migrate the card data that you need us to store, for both existing cards and new cards, to appropriate network tokens.

We do not currently offer the ability for you to request network tokens from Stripe and get them passed back for storage on your servers – also known as tokenization as a service. We are evaluating ways to offer this later in 2022 for users who wish to store customer tokens directly or use tokens from Stripe with other payment processing solutions.

Contact us if you have any questions related to tokenization.

Data localization

The RBI has stated that payment data for transactions processed through Indian payment service providers or intermediaries shall only be stored on databases and servers located within India. This applies to all card and non-card transactions processed by India service providers and intermediaries including all domestic transactions (i.e. both the business and cardholder are in India) as well as payments from foreign buyers to businesses in India.

Payment data includes: customer data (e.g. name, mobile number, email etc.), payment sensitive data (e.g. customer and beneficiary account details), payment credentials (e.g. OTP, PIN, Passwords, etc.), and transaction data (e.g. timestamp, amount, etc.).

Stripe is compliant with the RBI guidelines on data localization (also known as payment data storage guidelines).

What should you do?

If you are currently storing payment data of your India transactions on servers that are not based in India, we recommend you seek advice to determine if you need to purge this data to comply with the payment data storage guidelines.

You should also seek clarification from any third party payments/billing/financial services provider that you use about the status of their compliance with the RBI guidelines. They should not be storing payments data outside India. If they are storing this data outside of India, you should stop passing payments data on to them.

Reach out to us if you have more questions, or review our pricing to get started with our services in India.