Card-on-file tokenisation was supposed to be done by October 2022. Then it got extended. Then extended again. Now, in early 2026, we’re finally seeing what full enforcement looks like—and it’s messier than anyone expected.

The basic idea is straightforward: merchants can no longer store your actual card number. Instead, they get a token—a randomly generated string that maps back to your card through the card network. If the merchant gets breached, hackers get tokens that are useless outside that specific merchant-card network combination.

Where We Actually Stand

As of February 2026, the RBI reports that 94% of online merchants have migrated to tokenised transactions. That number sounds impressive until you look at the remaining 6%, which includes some surprisingly large players in the travel and insurance sectors.

The hold-ups are mostly technical. Recurring payment mandates—standing instructions for monthly premiums, subscription services, utility bills—have been the hardest to migrate. The token has to carry not just the card reference but the mandate details, and the existing e-mandate framework wasn’t designed for tokenised flows.

Insurance companies in particular have struggled. A policyholder who set up annual premium auto-debit three years ago is running on legacy infrastructure. Migrating that to tokenised payments means re-authenticating the mandate, which requires the customer to take action. And customers who set up auto-debit specifically to avoid taking action are, predictably, not responding to migration requests.

Transaction Success Rates Tell the Real Story

Here’s the number that matters: first-attempt transaction success rates for tokenised payments are running at 87%, compared to 94% for the old card-on-file system. That 7-percentage-point gap represents millions of failed transactions every day.

The failures cluster around a few patterns. Token expiry is the biggest culprit—when a card gets renewed, the token should automatically update, but the actual refresh cycle depends on the issuing bank, and some banks are taking 48-72 hours to propagate new tokens. During that window, every tokenised transaction for that card fails.

Network timeout is the second issue. Tokenisation adds a lookup step to every transaction—the payment gateway has to resolve the token to a card number through the card network’s token vault before the actual authorisation can happen. That extra 200-400ms doesn’t sound like much, but when you’re processing thousands of transactions per second and the token vault is under load, timeouts spike.

Impact on Banks’ Revenue

The tokenisation mandate hasn’t changed interchange rates, but it’s reshuffled costs. Issuing banks now bear the cost of maintaining token vaults and handling token lifecycle events (creation, suspension, resumption, deletion). For SBI, which issues more cards than any other Indian bank, that’s a meaningful infrastructure cost.

Acquiring banks face their own challenges. Merchant onboarding for tokenised payments requires updated POS software and API integrations. The banks that invested early—HDFC Bank, ICICI Bank, Axis Bank—are through the transition. Smaller acquiring banks, including some regional players and cooperative bank-backed acquirers, are still catching up.

The banks looking at this from an AI and strategy perspective are finding that predictive token lifecycle management—anticipating when tokens need refreshing based on card renewal patterns—can significantly reduce failed transactions. The Team400 team has been working with financial services firms on exactly this kind of predictive infrastructure.

What Merchants Need to Know

If you’re an e-commerce merchant and your tokenised transaction success rate is below 90%, you likely have a token vault integration problem rather than a general payment issue. The diagnostic steps are:

Check whether failures correlate with specific issuing banks. If 80% of your failures come from two or three banks, the problem is on the issuer side and you need to escalate through your payment gateway.

Look at the time distribution of failures. If they spike during certain hours, you’re probably hitting token vault capacity limits. Your payment aggregator should be able to route through alternative token vaults during peak periods.

Monitor token refresh rates. If you’re seeing a surge of failures among customers who recently got new cards, your token provisioning workflow isn’t handling card renewals properly.

The Fraud Numbers

The RBI hasn’t published comprehensive fraud data specifically for tokenised versus non-tokenised transactions yet, but individual bank disclosures tell an interesting story. HDFC Bank reported a 34% reduction in card-not-present fraud for tokenised merchants in Q3 FY2026 compared to the same quarter the previous year.

That’s significant, but it’s not the whole picture. Fraudsters have shifted tactics—instead of targeting stored card data at merchants, they’re focusing on the tokenisation enrolment flow itself. Phishing attacks that trick cardholders into generating tokens on fraudulent merchant sites have increased. The vector changed, even if the overall fraud volume decreased.

What Happens Next

The RBI’s next step is extending tokenisation requirements to device-based payments—NFC contactless, wearable payments, and IoT devices. The draft guidelines released in January 2026 suggest this will become mandatory by September 2026, which is an aggressive timeline given that device-level tokenisation requires hardware secure elements or trusted execution environments that most Indian devices don’t currently support.

For banks, the strategic question is whether tokenisation infrastructure becomes a competitive advantage or a commodity. The banks that can offer sub-100ms token resolution and 99.9% token vault uptime will win the merchant acquiring business. The rest will end up outsourcing to token-as-a-service providers and competing on price alone.

The tokenisation mandate started as a security initiative. It’s turning into an infrastructure arms race.