India network tokenization — FAQs and upcoming Stripe solutions

What is network tokenization?

Only card issuers and card networks are permitted to store the card data of an India issued card for transactions processed through payment service providers licensed by the Reserve Bank of India (RBI). Payment aggregators (such as Stripe) will have to use network tokens for payment processing instead of the actual credit/debit card number.

These regulations mainly affect businesses based in India. Card networks have launched Card on File (CoF) tokenization services to comply with these requirements.

What are network tokens?

Network tokens are offered by card networks such as Visa and MasterCard, to replace the actual credit/debit card number for online payments. They reduce the risk of sensitive card data being exposed as only the card networks will retain this information.

Who do these regulations affect?

You’re most likely to be affected if your business is based in India and mainly have customers paying with domestic cards.

Tokenization requirements apply to transactions processed by an India-licensed service provider paid by India-issued cards. If you (or, in the case of platforms that are outside India, your connected accounts) are not registered in India and consequently not supported by Stripe India, tokenization of card information is not required.

What should I do today?

If you’re affected, you should:

  1. Stop storing both credit and debit card data of India-issued cards on your own servers.
  2. Get consent from your customers to store and use tokens for India cards – you may need to update your terms of service with your customers to capture this consent.

For getting consent from your customers, if you don’t want to build your own consent flow, we have launched Stripe Managed Tokenization Consent to automatically collect consent on behalf of your customers. Please see the Guide for Indian government regulations on network tokenization for more details.

You may also need to update your existing Stripe integration following the steps outlined in this guide.

Once you’ve made these changes, we’ll be able to tokenize cards on your behalf. We’re currently rolling out our tokenization solution to Stripe users in preview. We will contact you when we’re ready to onboard your Stripe account.

Will I still be able to process Refunds?

Refunds on India-issued card transactions can only be initiated for a period of 90 days following the transaction. After this window, the payment will no longer be eligible for a refund.

Will I be able to obtain network tokens from Stripe to store on my own servers? I.e., will Stripe offer tokenization-as-a-service?

We do not currently offer tokenization-as-a-service.

Will the tokens provided be usable across different payment processors?

This will depend on the configurations specified by the card networks, which are still being discussed. Please continue to follow these FAQs for the latest guidance.

Will the cardholder have to use Additional Factor Authentication (AFA) such as 3DS to tokenize the card?

You can save card details to set up future payments through Stripe Checkout, Setup Intents, Payment Intents and other APIs. These will trigger the cardholder to complete 3DS authentication. Stripe will tokenize the card only when 3DS authorization is successful.

Refer to our guide to learn whether you need to update your Stripe integration to enable 3DS.