Background on Indian government regulations affecting card payments

Changes to regulations from the Reserve Bank of India (RBI) affect your ability to accept payments seamlessly from India-issued cards. More friction was introduced to payment flows, and this required card networks and issuing banks to overhaul their existing systems and infrastructure. While the industry has been adapting to these changes, some types of payments, such as recurring payments, will permanently see higher rates of payment failures moving forward due to additional authorisation requirements.

The best solution for Stripe users is to follow our Impact assessment guide and prepare for these changes if necessary.

E-mandates for recurring payments

A holder of an India-issued card needs to authorise merchants to deduct recurring charges through an e-mandate captured by the issuing bank. The cardholder should also be notified by the card issuer at least 24 hours before any charge is processed. Where the recurring charge is greater than INR 15,000 (~US$190), the cardholder needs to authorise each additional payment individually. Cardholders can also easily revoke an e-mandate and choose to stop recurring payments to a business at any time through their bank.

These changes are about giving more control to cardholders, but also introduce significant friction to recurring payment flows, which will result in more recurring payments being declined by issuing banks.

What should you do?

Using Stripe's Billing solutions to comply with the recurring payments regulation is the best way to prepare your business for these changes. Read our documentation on how to accept recurring payments from India-issued cards.

Tokenisation for card transactions

Only card issuers and card networks are permitted to store the card data of an India-issued card for transactions processed through payment service providers licensed by the RBI. The RBI requires payment aggregators (such as Stripe India) to use network tokens for payment processing instead of the actual credit/debit card number.

These regulations mainly affect businesses based in India. Card networks have launched card-on-file (CoF) tokenisation services to comply with these requirements.

Stripe has launched a solution to use network tokens for card payments from India-issued cards.

What should you do?

If you are a Stripe user based in India, you should:

  1. Stop storing both credit and debit card data of India-issued cards on your own servers.
  2. Obtain consent from your customers to store and use network tokens for India-issued cards – you may need to update your Terms of Service with your customers to capture this consent.

In terms of obtaining consent from your customers, if you don't want to build your own consent flow, Stripe is launching Stripe Managed Tokenisation Consent to automatically collect consent on behalf of your customers. Please see our Guide for Indian government regulations on network tokenisation for more details.

Use Stripe as your card vault – through our compliant solution, which we have created together with the card networks, we tokenise cards and use these tokens for payment processing. We cover both one-off payments using saved card information as well as recurring payments.

As we're testing and scaling our solution with the card networks, we will migrate the card data that you need us to store, for both existing cards and new cards, to appropriate network tokens.

We do not currently offer the ability for you to request network tokens from Stripe and get them passed back for storage on your servers – also known as tokenisation as a service.

Contact us if you have any questions related to tokenisation.

Data localisation

The RBI has stated that payment data for transactions processed through Indian payment service providers or intermediaries shall only be stored on databases and servers located within India. This applies to all card and non-card transactions processed by Indian service providers and intermediaries, including all domestic transactions (i.e. both the business and cardholder are in India) as well as payments from foreign buyers to businesses in India.

Payment data includes: customer data (e.g. name, mobile number, email address), payment-sensitive data (e.g. customer and beneficiary account details), payment credentials (e.g. OTP, PIN, passwords) and transaction data (e.g. timestamp, amount).

Stripe is compliant with the RBI guidelines on data localisation (also known as payment data storage guidelines).

What should you do?

If you are currently storing payment data relating to your India transactions on servers that are not based in India, we recommend that you seek advice to determine whether you need to purge this data to comply with the payment data storage guidelines.

You should also seek clarification from any third-party payments/billing/financial services provider that you use about the status of their compliance with the RBI guidelines. They should not be storing payment data outside India. If they are storing this data outside India, you should stop passing payment data on to them.

Contact us if you have any more questions or review our pricing to get started with our services in India.