Card Tokenization in India: What the RBI "Secure Your Card" Checkbox Actually Does During Flight Checkout (2026)

1 What Is the "Secure Your Card" Checkbox and Who Mandated It?

This checkbox is the opt-in trigger for Card-on-File (CoF) tokenization — an RBI-mandated security protocol that permanently replaces your 16-digit card number on that merchant's system with a unique, randomly generated digital code called a token. When you check the box and confirm with an OTP, your card is "tokenized" for that booking platform. From that point, the platform stores only the token — never your real card number.

You will see this checkbox on every major Indian flight booking platform — phrased as "Save card securely as per RBI guidelines," "Tokenize card," or "Secure your card as per RBI mandate." The exact wording varies by platform, but the underlying action is identical.

2 What Exactly Is Card Tokenization? The Simple Explanation

Card tokenization is the process of replacing your actual 16-digit card number — known as the Primary Account Number (PAN) — with a randomly generated surrogate number called a token that is mathematically linked to your card but cannot be reverse- engineered to reveal it.

Think of it as a coat check at a restaurant. Instead of walking around with your expensive coat (your PAN), you hand it to the attendant and receive a plastic chip (the token). If someone pickpockets your chip, it is useless — it only works at that one coat check counter, and only the counter attendant can exchange it for the real coat. No one else in the building can access your coat with that chip.

In card terms:

• Your actual card number is stored only in the Token Vault — a secure database maintained exclusively by your card network ( Visa, Mastercard, or RuPay / NPCI).
• The booking platform receives and stores only the token — a surrogate number that is unique to your card on that specific platform.
• At payment time, the platform sends the token to the card network, which looks up your real card number in the Token Vault and processes the transaction with your bank.

3 Who Are the Three Parties in Every Tokenized Transaction?

Every tokenized card transaction in India involves three distinct roles, each with a defined responsibility under the RBI framework. Understanding these roles removes the mystery from what happens behind the scenes.

4 Step-by-Step: How Tokenization Works During Flight Checkout

The tokenization setup at checkout takes under 30 seconds and requires exactly one OTP from you — the same OTP that authorizes your current payment. Here is every stage, in order:

1. You enter your card details at the payment page. Your 16-digit card number, expiry date, and CVV travel securely (via HTTPS and your payment gateway's encrypted connection) to the platform's payment processor. No card data is stored by the merchant at this stage.
2. You check the "Secure your card" checkbox. This indicates your consent to tokenize. The platform registers your opt-in with the payment gateway and card network. You will not see this option for the same card again after the process is complete.
3. Your bank sends an OTP to your registered mobile number. This single OTP serves dual purpose: it authorizes the current flight booking payment and it approves the creation of the token. One OTP, two actions.
4. The card network generates a unique token. Behind the scenes, the payment gateway sends a tokenization request to the card network (Visa, Mastercard, or RuPay). The network generates a merchant-specific token and stores the token-to-PAN mapping securely in the Token Vault.
5. The merchant receives and stores only the token. Your actual 16-digit PAN is immediately and permanently removed from the merchant's system. They store the token and display only the last four digits of your card number so you can identify which card is saved.
6. All future bookings use the token automatically. The next time you pay on that platform, you select your saved card (shown as last 4 digits), enter a fresh OTP, and the merchant sends the token plus a one-time cryptogram to the card network — which decrypts the token and charges your actual card. You never type your full card details again.

5 Why Flight Bookings Are Higher-Risk Than Other Online Purchases

Flight bookings carry the highest average transaction value and the highest saved-card reuse rate of any consumer e-commerce category in India — making travel platforms the most attractive target for card fraud, and the most critical context in which tokenization applies.

Consider the exposure without the protections tokenization provides:

• An Indian family booking four round-trip tickets to London or Singapore may transact ₹3,00,000 to ₹7,00,000 in a single checkout session.
• A frequent business traveler typically saves the same card on four or five platforms simultaneously — MakeMyTrip, Cleartrip, IndiGo, Air India, and EaseMyTrip.
• Refunds on cancelled or changed bookings take 5–10 business days. During that window, a compromised card can be misused across multiple merchants before the cardholder detects unauthorized transactions.
• Late-night and international flight bookings happen around the clock — outside normal bank-monitoring hours.

6 Tokenization vs. No Tokenization — What Actually Changes for You?

The security difference between opting in and opting out is significant. The practical difference is equally clear: tokenizing makes every future checkout faster and removes the need to re-enter card details on that platform.

7 Does Tokenization Affect Flight Refunds or Chargebacks?

No. Tokenization has zero effect on how refunds or chargebacks are processed. If your flight is cancelled, rescheduled, or if you initiate a refund, the credit returns to your original bank account exactly as it would without tokenization — automatically, without any action required from you.

Here is why: when a refund is triggered by the booking platform, they send the token back through the payment gateway to the card network. The network's Token Vault maps the token to your real PAN, and the issuing bank credits the refund to your account. The entire process is invisible to you — no extra steps, no need to enter bank details, no delay caused by the tokenization layer.

8 Which Flight Booking Platforms and Card Networks Support RBI Tokenization?

Since October 1, 2022, all RBI-regulated payment entities processing card transactions in India must support tokenization. In practice, every major Indian flight booking platform is compliant — the "Secure your card" prompt is present across all of them.

Which card types are tokenizable?

The RBI framework applies to all card networks operating in India. Every common card type is supported:

• Visa debit and credit cards — tokenized via the Visa Token Service (VTS)
• Mastercard debit and credit cards — tokenized via Mastercard Digital Enablement Service (MDES)
• RuPay cards (debit and credit) — tokenized via NPCI's own token service
• American Express cards — tokenized via Amex's proprietary token service
• Diners Club cards — tokenized where supported by the payment gateway

Prepaid wallets, UPI handles, and net banking do not use card tokenization — the RBI CoF tokenization mandate applies specifically to debit and credit cards bearing a PAN.

9 Managing Your Saved Tokens — Delete, Update, Switch Devices

Your card token is stored by the booking platform, not by your browser, device, or mobile app. Switching phones, clearing browser history, or reinstalling an app has no effect on your saved token — your saved card reappears when you log back into your account on any device. Only explicitly deleting the saved card from your account settings removes the token.

How to delete a saved (tokenized) card

1. Log into your account on the booking platform.
2. Go to Account Settings → Saved Cards (or Payment Methods).
3. Select the card and click "Delete" or "Remove." The platform sends a deletion request to the card network, which removes the token from the Token Vault.
4. Once deleted, that merchant no longer has any reference to your card. You will need to re-enter and re-tokenize if you wish to save the card again in the future.

What happens when your card expires?

When your bank issues a renewal card with the same card number but a new expiry date and CVV, most Indian banks and card networks automatically update the expiry associated with your existing token. You will typically see "Card expiry updated" on your saved card without any action from you. If you receive a new card with a completely different card number (not a renewal), you will need to add and re-tokenize the new card on each platform separately.

10 Five Card Tokenization Myths — Debunked

Despite being in force for over three years, several misconceptions about RBI card tokenization persist among Indian cardholders. Here are the five most common — with accurate facts behind each.

Quick-Reference FAQ

What is the "Secure your card as per RBI guidelines" checkbox?
It is the opt-in for Card-on-File (CoF) tokenization. Checking it and confirming with an OTP replaces your 16-digit card number with a merchant-specific token on that platform — permanently.

Is card tokenization free in India?
Yes — always. RBI-mandated and enforceable since October 1, 2022, with no charge to the cardholder at any stage.

Does tokenization affect flight refunds?
No. Refunds are routed through the token back to your original bank account automatically. No action is needed from you.

Which flight platforms support RBI tokenization?
All major platforms — MakeMyTrip, IndiGo, Air India, Cleartrip, EaseMyTrip, and Yatra — are all RBI-compliant.

What happens to my saved token if I switch devices?
Nothing. The token is stored by the platform, not your device. Your saved card reappears on any device when you log back into your account.

Can I still book flights without tokenizing?
Yes. You simply re-enter full card details manually at each checkout. Tokenization is opt-in, not compulsory.