Credit Cards
Every RBI rule that touches Credit Cards, simplified for bankers. 0 published.
Latest circulars in this cluster
No circulars in this section yet — the engine is processing RBI history; check back soon.
How RBI card-network tokenisation protects your card
RBI’s card tokenisation framework changed how online merchants handle your card. Instead of storing your real card number, they store a meaningless merchant-specific token. Here is how that protects you, step by step:
- Understand what a card token is. Under the RBI Card-on-File (CoF) tokenisation framework, your actual 16-digit card number (the PAN) is replaced by a unique, randomly generated 'token' for each merchant. The token is useless anywhere else, so the merchant never has to store — and can never leak — your real card details.
- See why RBI mandated it. RBI barred merchants and payment aggregators from storing actual card data on their servers and required tokenisation instead. The aim is to cut the blast radius of a data breach: if a shopping site is hacked, attackers get only merchant-specific tokens, not card numbers that work everywhere.
- Know how a token gets created. When you tick 'save this card securely as per RBI guidelines' at checkout, the card network (Visa, Mastercard, RuPay, etc.) issues a token tied to that one merchant and device, with your explicit one-time consent and an additional-factor authentication step. You can create, view and delete your saved tokens with the card issuer.
- Check what stays protected. Each token is merchant-specific and device-specific, so a token saved at one store cannot be replayed at another. Your bank still applies the usual transaction limits, OTP/additional-factor authentication and fraud monitoring. If you lose the card or it is reissued, the linked tokens can be revoked without exposing the underlying number.
- Act as a cardholder. Prefer the 'tokenise as per RBI guidelines' option over letting a site keep your raw card number, review the list of saved cards/tokens in your banking app, and delete tokens for merchants you no longer use. Tokenisation is free, optional and within your control — you can always choose to key in the full card details manually instead.
Suppose you save your card at an online store. The store now holds a token like 5123 xxxx xxxx 9012 mapped only to that merchant, not your real number. If that store is later breached, the leaked token cannot be used to pay anywhere else, and your bank can revoke it instantly — your underlying card stays safe. Example is illustrative; exact behaviour depends on your issuer and the card network.
This is our plain-English explainer, not RBI text; every rule links to its official page on rbi.org.in. under the editorial review of Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India.
Frequently asked questions
What must a card issuer disclose before charging interest?
Issuers must clearly show the billing cycle, the way interest is computed on unpaid balances, and all fees and charges, so a cardholder can see the true cost of revolving credit before they incur it.
Can a card be activated without the customer's consent?
No. A card cannot be activated, nor a limit increased, without the cardholder's explicit consent. If a card is not activated within the defined window, the issuer must close it without cost, subject to the applicable circular.
Can customers choose their card network?
RBI has moved to give eligible cardholders a choice of card network rather than having it tied solely to the issuer's arrangement. The relevant instruction is in the cluster below.