RBI Expands Card Tokenisation to Card-on-File (CoFT) Services

Live · in forceNo withdrawal recorded as of 19 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.

⏱ ~2 min read

Quick answerRBI now permits Card-on-File Tokenisation (CoFT) for card payments, extending device-based tokenisation to stored card credentials. Card issuers can act as Token Service Providers. From Jan 1, 2022, no entity except card issuers/networks can store actual card data; existing stored data must be purged.

What changed

RBI extended device-based tokenisation to Card-on-File Tokenisation (CoFT), allowing card issuers to become Token Service Providers (TSPs) for their own cards. Tokenisation now requires explicit customer consent with AFA validation. From January 1, 2022, all entities except card issuers and networks must stop storing actual card data and purge any previously stored data.

What it means for you

Banks and payment aggregators must stop storing full card credentials by Jan 1, 2022, and purge existing data. Card issuers can now offer tokenisation services, enhancing security for recurring payments. Merchants and PAs must rely on tokens instead of storing card-on-file data, reducing fraud risk but requiring system upgrades.

What you must do

Ensure your systems purge all stored actual card data by January 1, 2022, retaining only last four digits and issuer name for reconciliation.
If you are a card issuer, prepare to offer CoFT services as a Token Service Provider with explicit customer consent and AFA.
Update merchant onboarding agreements to prohibit storage of card credentials and mandate tokenisation for recurring transactions.
Provide cardholders with options to view and de-register tokens via mobile app, internet banking, IVR, or branches.

Who it affects

All Payment System Providers and Participants, Card issuers (banks), Payment Aggregators and Payment Gateways, Merchants storing card-on-file data, Card networks

What is the deadline for purging stored card data?

All entities except card issuers and card networks must purge stored actual card data by January 1, 2022. Only last four digits and issuer name can be retained for reconciliation.

Can card issuers now offer tokenisation services?

Yes, RBI now permits card issuers to act as Token Service Providers (TSPs) for cards issued by them, subject to explicit customer consent and AFA validation.

What happens if a card is renewed or replaced?

The card issuer must seek explicit consent from the cardholder before linking the new card to merchants where the old card was registered for CoFT.

Key dataSee the live numbers behind this topic: RBI Penalty Tracker, Credit & Deposit Growth — updated from official RBI data.

Official source: RBI/2021-22/96 on rbi.org.in ↗
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · published · 19 Jun 2026, 11:17 IST

Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12159&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.