Only card issuers and card networks are permitted to store the card data of an India issued card for transactions processed through payment service providers licensed by the Reserve Bank of India (RBI). Payment aggregators (such as Stripe) will have to use network tokens for payment processing instead of the actual credit/debit card number.
These regulations mainly affect businesses based in India. Card networks have launched Card on File (CoF) tokenization services to comply with these requirements.
Network tokens are offered by card networks such as Visa and MasterCard, to replace the actual credit/debit card number for online payments. They reduce the risk of sensitive card data being exposed as only the card networks will retain this information.
You’re most likely to be affected if your business is based in India and mainly have customers paying with domestic cards.
Tokenization requirements apply to transactions processed by an India-licensed service provider paid by India-issued cards. If you (or, in the case of platforms that are outside India, your connected accounts) are not registered in India and consequently not supported by Stripe India, tokenization of card information is not required.
If you’re affected, you should:
Stop storing both credit and debit card data of India-issued cards on your own servers.
Get consent from your customers to store and use tokens for India cards – you may need to update your terms of service with your customers to capture this consent.
For getting consent from your customers, if you don’t want to build your own consent flow, we have launched Stripe Managed Tokenization Consent to automatically collect consent on behalf of your customers. Please see the Guide for Indian government regulations on network tokenization for more details.
You may also need to update your existing Stripe integration following the steps outlined in this guide.
Once you’ve made these changes, we’ll be able to tokenize cards on your behalf. We’re currently rolling out our tokenization solution to Stripe users in beta. We will contact you when we’re ready to onboard your Stripe account.
Refunds on India-issued card transactions can only be initiated for a period of 90 days following the transaction. After this window, the payment will no longer be eligible for a refund.
We do not currently offer tokenization-as-a-service.
This will depend on the configurations specified by the card networks, which are still being discussed. Please continue to follow these FAQs for the latest guidance.
You can save card details to set up future payments through Stripe Checkout, Setup Intents, Payment Intents and other APIs. These will trigger the cardholder to complete 3DS authentication. Stripe will tokenize the card only when 3DS authorization is successful.
Refer to our guide to learn whether you need to update your Stripe integration to enable 3DS.