The deadline for card tokenization has been extended by the Reserve Bank of India (RBI). The Reserve Bank had previously set a deadline of December 31, 2021, but the central bank has now extended it until June 30, 2022. The RBI stated in an official release on December 23, 2021 that "The timeline for storing of CoF data is extended by six months, i.e., till June 30, 2022; post this, such data shall be purged."

RBI has also clarified that "In addition to tokenisation, industry stakeholders may devise alternate mechanism(s) to handle any use case (including recurring e-mandates, EMI option, etc.) or post-transaction activity (including chargeback handling, dispute resolution, reward / loyalty programme, etc.) that currently involves / requires storage of CoF data by entities other than card issuers and card networks." No organization in the card transaction / payment chain, other than card issuers and / or card networks, shall maintain the legitimate card data starting from July 1, 2022 and any previously saved data will be deleted.

Organizations can keep minimal data - the last four digits of the actual card number and the card issuer's name - for tracking or reconciliation reasons of the transactions if they follow the relevant criteria. The card networks will be responsible for ensuring that all parties involved comply with the said guidelines on a continuous basis.

Tokenisation is the process of replacing actual card details with a substitute code known as a unique "token," for each and every type of card. The company or token requestor that receives a card holder's request for tokenisation of a card forwards it to the card network to generate a relevant token. In order to not disclose real card data on the payment gateway or with the seller while processing transactions, a tokenised card transaction will be a secure way to transact and a big kick in the face of fraudsters.

In response to being asked whether card details of a customer are safe after tokenization, RBI has said on its official website that "Actual card data, token and other relevant details are stored in a secure mode by the authorised card networks. Token requestor cannot store Primary Account Number (PAN), i.e., card number, or any other card detail. Card networks are also mandated to get the token requestor certified for safety and security that conform to international best practices / globally accepted standards."

Cardholders can establish and change per transaction and daily transaction restrictions for tokenised card transactions, and they can register for a tokenisation request only with their approval through Additional Factor of Authentication (AFA).