In 2022, RBI mandated that merchants can no longer store your actual 16-digit card number, expiry date, or CVV. Instead, when you make a card payment, a unique token representing your card is generated and stored on the merchant's end. The actual card details stay with your bank and the card network.
Why RBI did it
During 2020–2022, India saw a spike in card data breaches. When a merchant database leaked, millions of raw card numbers were exposed — and because the same card could be used anywhere, fraudsters had a field day. Tokens solve this because they're merchant-specific — a token from Swiggy can't be used at Amazon. Even if the database leaks, the tokens are useless outside that specific merchant.
How it looks to you
After the mandate rolled out, most users had to "re-add" their card to saved merchants. Behind the scenes, the merchant called the card network's tokenization service, got a token issued by your bank, and replaced your card number with that token in their database. Your experience remained the same — click, checkout, done — but the security posture improved dramatically.
Cross-device and guest checkouts
Tokenization is merchant-specific, which means tokens don't automatically transfer across devices or guest sessions. For guest checkouts where you don't have an account, you still type in the full card number — and merchants must forget it the moment the transaction is done.
The broader trend
Tokenization is spreading beyond cards. UPI has UPI tokenization for recurring payments. Bank accounts have virtual accounts for vendor payouts. The pattern is the same: abstract the sensitive identifier behind a purpose-specific token that can be revoked without touching the underlying account.