Three-way Payments in India: Background on Indian Government Regulations Affecting Card Payments

The Reserve Bank of India (RBI) has implemented a number of regulatory changes that will impact the ability to receive payments from cards issued in India. These modifications have introduced additional hurdles in the payment process, forcing card networks and issuing banks to overhaul their existing systems and infrastructure. While the industry as a whole is trying to adapt to these changes, certain types of payments, such as recurring transactions, now require additional authorisations, which could lead to a permanent increase in payment failure rates in the future.

The best course of action for Stripe users is to follow our impact assessment guidelines and be prepared to respond to these changes on demand.

Cardholders holding Indian-issued cards are required to make electronic authorisations through the card-issuing bank to allow merchants to capture periodic payments. The issuing bank must also notify the respective cardholder at least 24 hours in advance before processing any collection. In addition, for recurring payments exceeding 15,000 INR (approximately US$190), cardholders must authorise each additional transaction separately. Cardholders can also choose to stop making recurring payments to merchants at any time by easily revoking the electronic authorisation through the Bank.

These changes were intended to provide cardholders with greater control, but significantly hindered the process of making regular payments, leading to an increase in the number of transactions declined by issuing banks.

Adopting Stripe's billing solutions to comply with recurring payment regulations is the best way to prepare your company for these changes. Please refer to our documentation on how to accept cards issued from India for recurring payments.

Only card-issuing banks and card networks are allowed to store card data of Indian-issued cards for transactions through RBI-approved payment service providers.The RBI has asked aggregators like Stripe India to process payments using card network tokens instead of actual credit/debit card numbers.

These regulations primarily affect merchants in India. In order to comply with these requirements, the Card Network has launched the Card on File (CoF) tokenisation service.

Stripe now offers a solution that uses card network tokens to process card payments made from cards issued in India.

If you are an India-based Stripe user, you should:

Stop storing Indian-issued card data (credit and debit cards) on your own servers.

Obtain customer consent to store and use card network tokens applicable to cards issued in India - you may need to update your TOS for this.

You may not wish to implement the consent process yourself and Stripe will be introducing Stripe Hosted Tokenised Consent to automatically obtain consent on your behalf. For more detailed information, please refer to the Government of India's regulatory guidance on tokenisation of card networks.

Use Stripe as your card vault - through a compliant solution developed with the card networks we work with, we tokenise card details and use these tokens for payment processing. This includes one-off payments using saved card details as well as recurring payments.

As we test and extend the solution with the card network, we will migrate the card data you need us to store (both existing and new cards) to the appropriate card network tokens.

We do not currently offer the ability to request card network tokens from you and return them for storage on your server - also known as tokenisation as a service.

If you have any questions about tokenisation, please contact us.

RBI has mandated that for transactions processed by Indian payment service providers or intermediaries, payment data can only be stored in databases and servers located in India. This applies to all card and non-card transactions processed by all Indian service providers and intermediaries, including all domestic transactions (i.e., where both the business and the cardholder are located in India) as well as payments made by foreign buyers to Indian businesses.

Payment data includes: customer data (e.g., name, phone number, email, etc.), payment sensitive data (e.g., customer and payee account details), payment credentials (e.g., OTPs, PINs, passwords, etc.), and transaction data (e.g., timestamps, amounts, etc.).

Stripe adheres to the RBI Data Localisation Guidelines (also known as the Payment Data Storage Guidelines).

If you are currently storing Indian Transaction Payment Data on servers outside of India, it is recommended that you consult with the relevant authorities to determine whether you need to erase this data in order to comply with the Payment Data Storage Guidelines.

You should also ask all third party payment/billing/financial service providers you use to disclose their compliance with RBI guidelines. They should not store payment data outside India. If they do, you should stop passing payment data to them.

You can contact us for further enquiry or check our pricing to start using the services we offer in India.