What platforms are available for three-way payments in India: a guide to Indian government regulations on tokenisation of card organisations

In India, only card issuers and card networks are allowed to store card data of Indian-issued cards to facilitate transactions through Reserve Bank of India (RBI)-authorised payment service providers. The Central Bank has mandated that payment aggregators like Stripe India should use card network tokens instead of actual credit/debit card numbers during payment processing.

These regulations primarily affect businesses in India. Card Networks has launched a Card on File (CoF) tokenisation service to comply with these requirements, and Stripe has developed a solution that customers can use. For more information on the Indian regulations, see our article "Regulatory Background on the Impact of Credit Card Payments by the Indian Government".

No entity in the card transaction chain is allowed to store a customer's card information, with the exception of issuers and card networks. This restriction applies to merchants, payment aggregators (PAs), payment gateways (PGs) and acquirers. This further confirms that card network tokenisation and issuer tokenisation are the only viable directions for the industry.

The tokenisation implementation is also subject to other regulations:

- The scope of the token must include the merchant, the customer card, and the token requester (e.g. Stripe India)

- The customer's explicit consent and additional authentication factors must be obtained before a token can be generated

- Merchants should provide customers with the option to remove tokenised cards from their platforms

- During the transaction, the merchant can only use the last four digits of the customer's card number, as well as the name of the card issuer and the card network (as seen on the Payments page of the Stripe dashboard).

These rules only apply to domestic transactions for India-based merchants. If you are an international merchant on Stripe and do not have a contract with Stripe India, these rules do not apply and the card will not be tokenised.

As with Cards on File (CoF), only PCI DSS-compliant merchants can store tokens themselves. For other merchants that currently use third-party services to store card information, they must continue to handle their tokens in the same manner.

Stripe is an authenticated token requester capable of storing tokens and facilitating token-based transactions, as well as generating tokens through the card network.

Your Stripe integration is unaffected.Stripe will seamlessly handle the acquisition and use of card network tokens in the background on behalf of your clients. You do not need to manage this process.

Tokens are unique to the merchant, customer ID, token requester, and card network. A token generated on one merchant platform is not valid on another.

Essentially, a cardholder's card will have multiple tokens based on the number of merchant-customer ID combinations they have. This mapping will be maintained by the token requester (Stripe). However, there is no guarantee that merchants joining the card network will be given the same merchant IDs provided by other token requesters, which may result in duplication. Therefore, we cannot ensure that tokens provided through Stripe will apply to the same merchant-customer combinations when used through other payment aggregators/payment gateways.

The impact of tokenisation on the end customer is minimal. In order to convert a card to a token, the customer must agree to the process, after which ongoing transaction payments can be made. This applies to both new and saved cards.

To streamline your business operations, Stripe has introduced Stripe Managed Tokenised Consent (SMTC) (a snippet of the form view that is part of the checkout process) to collect customer consent on your behalf without having to build any new UX processes or modify integrations.

If you wish to build or integrate your own custom consent collection process and want it to run smoothly in your checkout experience, you can opt out of Stripe's hosted tokenised consent collection process (see Opting Out of the Process below).

For users who have tokenised their customer bank cards, only the last four digits of the stored card will now be visible.

For cardholders who choose not to tokenise their cards, they must enter the full 16-digit card number, expiry date and CVV for all card transactions.

If you would like to stop using Stripe's Managed Tokenised Consent Collection process and create your own custom process, navigate to the Compliance section of the Stripe Dashboard Settings and select Card Stored Consents".

In "Card storage consent", switch to "Consent for collection confirmation".

Once opted out, you will need to collect your own customer consent and card details will only be saved in the Stripe customer object for future use if the cardholder gives consent during your checkout process.

For users who do not use Stripe Billing, Stripe Checkout or Stripe Elements, any process that relies on a customer's card number will be affected. You must choose to stop using the platform mechanisms and obtain customer consent before we can tokenise and store information in the Stripe system.