New credit and debit card rules coming into effect from 01 July

New credit and debit card rules coming into effect from 01 July

India is one of the fastest-growing economies in digital transactions. The volume of digital transactions in the country stood at 48 billion in 2021 which was almost 3 times that of its nearest competitor China. These transactions accounted for approximately 31% of the total payments transactions in 2021 and are expected to reach 70% by the year 2026. With this growing volume of real-time digital transactions, it is important to make some changes in the framework for credit cards and debit cards to benefit the users as well as the economy. Therefore, RBI has come up with new rules relating to credit cards and debits cards that will be enforced from July 1. 

What are RBIs new credit card and debit card rules?

The use of credit cards, debit cards, and other online payment options (UPI, net banking, etc.) have become the preferred mode of payment for millions of Indians. Most shopping portals often require storage of the credit card and debit card details of the users. The apex bank has introduced a system of tokenization which will be put in effect from July 1st, 2022 along with a few other rules and regulations that are set to be implemented on October 1st, 2022. 

The premise of these rules prohibits the merchants from storing the credit card or debit card details on their portal or using it in any way that is detrimental to the interest of the cardholders. These rules will earlier set to be implemented by 1st January 2022 but the deadline for the same was later pushed to 1st July 2022. This move was taken after a representation made by the payments companies and industry representatives requesting more time to change their technology for the implementation of the RBI mandate. 

What is tokenization?

The tokenization system introduced by the RBI will replace the card details with a code that can be referred to as a ‘token’. This token will be a unique code to the user’s card and the merchant at a time. The cardholder’s details are protected under the tokenization system as they are not stored or revealed to any third party. If the users are not comfortable with the tokenization system, they have the option to enter their card details for every merchant. 

When the user chooses the token system, the merchant will request a token generation for its user at the portal. This token can be saved and used for future transactions too. However, a token is unique for every merchant and must be created for each merchant portal.

What is the need for these new rules?

There have been many cases of fraud on multiple online shopping portals and the security of the cards is a huge concern for the cardholders. To resolve these issues the apex bank has come out with new directives for merchants and their payments portals. The use of tokenization will enable cardholders to protect their sensitive information on the card. 

The merchants will not be able to store the cardholder’s name, expiry details of the card, the card number as well as the CVV number. This acts as an extra layer of protection for the cardholders to safeguard themselves against issues like identity theft and misuse of their cards. 

The revised rules also have a provision in case a person has multiple cards on each merchant portal. In such situations, the issuer bank will provide a dedicated portal to manage all the cards. This portal will allow the cardholders to view as well as delete any cards from any portal if they no longer wish to use it. Also, as mentioned above, the tokenization rule is not mandatory for all cardholders. The merchant portals are no longer permitted to store any information related to the cardholders or their cards, hence, if the cardholders do not wish to opt for tokens on each merchant site, they can enter their required card details each time for every new transaction on the merchant sites. 

What are other rules relating to credit/debit cards?

Apart from the tokenization rule, the revised RBI rules also include other credit and debit card provisions. Some of these provisions are effective immediately from 1st July 2022 while others come into effect from 1st October 2022.  These additional rules are mentioned below.

  1. The card issuers are not permitted to increase the notified credit limit on any credit card without explicit consent from the cardholders.
  2. A request for closure or cancellation of credit cards has to be honoured within 7 days by the card issuers, failing which, the issuer will have to pay a penalty of Rs. 500 per day till the time the issue is closed. Communication regarding the closure has to be issued to the customer via email, SMS, or any other recognized means. The card issuers have to provide multiple dedicated channels for such closure requests like helpline numbers, IVRS facilities, dedicated email addresses, specific links on their website, and internet or mobile banking facility. The card issuers also cannot insist on a particular mode of raising the request and all the available channels have to be functional.
  3. The card issuers will be charged a double penalty in case of any cards issued without applying.
  4. Cardholders will be given a one-time option that will allow them to change their billing cycle according to their preference. 
  5. The bills have to be issued immediately to the cardholder and they should be given a sufficient number of days to repay the same. 
  6. The card issuer can also use any refunds issued or reversal of payments against the total amount due of the cardholder (that is unpaid) and adjust it to derive the net amount due. They will, however, have to notify the cardholder of the same and has to be duly reported.
  7. Card issuers will have to take the permission of the cardholders to adjust any credit amount beyond Rs. 5,000 or 1% of the credit limit (whichever is lower). Card issuers will have to take such permissions (through email or SMS) within 7 days of receiving the credit.


The revised rules of RBI focus on the safety and security of the cardholders and ensure a smooth infrastructure that can lead the economy on the path of digitization at a faster pace. These rules will act as an extra layer of security for the cardholder providing a further impetus to the digital economy vision of the government. 


When were the RBI rules for credit cards and debit cards set to be implemented?

The RBI rules for credit cards and debit cards were set to be implemented on 1st January 2022 but were later pushed to be implemented on 1st July 2022 and 1st October 2022.

What is the permissible limit to take adjust the credit card dues without permission against any refunds or reversals?

The revised RBI rules allow the card issuers to adjust the credit card dues of the cardholder (that have remained unpaid) against any refunds or reversals to their account up to Rs. 5000 or 1% of the credit limit (whichever is lower) without any permission. However, they will have to notify the cardholder regarding the same. For any amount beyond this limit, they will need to take permission from the cardholder within 7 days of the credit.

Can the card issuers issue a credit card or a debit card without the express consent of the cardholder?

No. The revised RBI rules do not permit the card issuers to issue any credit card or debit card without the express consent of the cardholder. The card issuer will be liable for a double penalty for violating this condition.

WIll the token issued to a cardholder be common for all the merchants?

No. The token issued to a cardholder will be a unique code specific to a card and the merchant. The token will be different for different merchant portals.

Download Credwise on the App Store or Google Play Store now and get the latest deals tailored according to your cards! 

Want to learn about Finance, Investing, and much more!, Checkout our partner blogs.