Token Vault FAQs | Cashfree Payments

What is card tokenisation?

Card tokenisation replaces sensitive card details (number, expiry, CVV) with a secure, random token. This token is used for payments, keeping actual card data safe and reducing the risk of fraud.

What are the RBI guidelines on tokenisation?

The RBI guidelines on card tokenisation are as follows,

Payment aggregator, payment gateway or merchants cannot store card numbers on their servers even if they are PCI/DSS compliant
Card networks and Issuing banks can only store card numbers and offer token provisioning services to other entities in payment industry
The deadline for compliance of these guidelines is 31st of December 2021

Why do I need Token Vault by Cashfree Payments?

A Token Vault securely stores card tokens, enabling customers to make quick, hassle-free payments with saved cards. We generate interoperable network tokens, meaning they can be used across multiple payment providers for seamless transactions. Learn more about Token Vault.

What all card details can I save once with tokenisation in place?

Merchants are allowed to store only the last 4 digits of the actual card number, card scheme and issuing bank name. They cannot store other details like card bin, card expiry or CVV.

Is there any impact of tokenisation on the card payments where the customer enters complete card number?

No, there is no impact as such on card payments where the customer enters the complete card number details. Only in those cases where merchants or PA/PGs were saving cards will be affected.

Can I retrieve the actual card number using the card network token?

No, merchants will not be able to get the actual card number back from the tokenised cards. Only schemes and issuing banks will be able to do so.

Can I provision card network token without taking consent from customer?

Can I provision card network token without the customer completing 2FA?

If 2FA fails even after the customer had given consent to tokenise the card, merchants will not be able to provision token and save the card.

Does tokenisation affect any other payment mode other than cards? Which all card transactions are affected?

No, tokenisation is limited only for card payments. All card payments like credit, debit, prepaid and corporate credit cards are impacted.

If a merchant is PCI/DSS compliant and was saving cards on their own server how can they meet RBI’s compliance requirement?

If you are a merchant who already PCI/DSS compliant, here is what you need to do to stay RBI compliant,

Merchants who were saving the card number on their own servers, will also have to either integrate with individual card schemes and become a token requestor themselves or integrate with Token Vault where Cashfree Payments will be a token requestor on merchant’s behalf.
PCI/DSS compliant merchants have to delete the already saved cards with them as RBI does not allow bulk tokenisation of cards.

Does a merchant need to re-provision the already saved cards on another PA/PG if they wish to shift from Cashfree to some other PA/PG?

Yes, the token reference number of tokens provisioned through Cashfree will be saved with Cashfree only. However, merchants can fetch the card network tokens from Cashfree and use them for payment on any other PA/PG. It is not possible to migrate cards provisioned through Cashfree on another PG.