Skip to main content
FinWiz24
TravelCashbackPremiumLifetime FreeFuelRewardsDiningShoppingAll cards
Back to Blog
The RBI's 2021 Card Rules: What Protects You and What Doesn't
Fees & Fine Print

The RBI's 2021 Card Rules: What Protects You and What Doesn't

Tokenisation, zero-liability, and SMS alerts — what the Reserve Bank of India actually requires banks to do.

Rohan Mehta

Former bank product manager. Writes about how issuers price cards, fees, and rewards programs.

12 June 2026
4 min read
DisputeFraudLimit RevisionCard Replacement

The 2021 rules in one paragraph

The RBI's 2021 master directions on card security and fraud created three pillars of cardholder protection:

  1. Tokenisation: card numbers stored at merchants must be replaced with tokens. A merchant never sees your real card number after tokenisation.
  2. Zero liability for unauthorised transactions: if you report a fraud within 3 days and the bank confirms it, you owe nothing.
  3. Mandatory SMS/email alerts for every transaction: every transaction above a bank-defined threshold (typically ₹500) must trigger an alert.

These rules are mandatory for every bank. Below is what each one actually does for you.

Tokenisation in practice

Tokenisation means the merchant (Amazon, Flipkart, Netflix, etc.) doesn't store your real 16-digit card number. Instead, the card network (Visa, Mastercard, RuPay) issues a "token" — a different 16-digit number that's tied to your card but only valid at that merchant.

If the merchant's database is breached, the attackers get tokens, not real card numbers. The tokens are useless at any other merchant. The risk is contained.

Ad slot: article

What tokenisation doesn't protect against:

  • Fraud at the merchant's physical POS.
  • Phishing attacks that steal your real card number directly.
  • Lost or stolen physical cards.
  • Bank-side data breaches.

Tokenisation is a defence against merchant-side breaches, not against all fraud.

Zero liability in practice

If you report an unauthorised transaction within 3 days:

  • The bank "freezes" the disputed amount — it doesn't vanish from your statement, but it doesn't accrue interest either.
  • The bank investigates, typically resolving in 7–14 days for clear-cut cases.
  • If the bank confirms the transaction was fraud, the amount is reversed and you owe nothing.
  • If the bank determines you authorised the transaction, the dispute is rejected and you owe the amount (plus any finance charge if applicable).

What zero liability doesn't cover:

  • Transactions where you shared your PIN or OTP with someone.
  • Transactions on a card you authorised a friend or family member to use.
  • Transactions on a card with a chip that was tampered with after issuance.
  • Card-not-present transactions where the merchant proves you participated (e.g. you provided CVV, OTP, and billing address).

The bank's investigation is real — they review device fingerprints, IP addresses, delivery addresses, and your transaction history. Most disputes resolved in the customer's favour involve amounts above ₹5,000 where the customer has a clean history and a clear hotlist timeline.

Mandatory alerts in practice

Every Indian-issued card triggers an SMS or email alert for transactions above a bank-set threshold. The threshold is typically:

  • ₹500 for transactions at physical merchants.
  • ₹100 for online transactions.
  • ₹1 for cash advances and ATM withdrawals (you'll get an alert for every cash advance).

If you don't receive an alert for a transaction you made, your bank may be non-compliant — file a complaint with the bank's Nodal Officer and escalate to the RBI Banking Ombudsman if unresolved.

What alerts don't protect against:

  • Fraud that happens in real-time before you see the alert. The bank requires alerts within 60 seconds, but SMS delivery is sometimes delayed.
  • Skimmed card data used for online transactions at merchants that don't require OTP.
  • International transactions where the SMS provider has roaming delays.

Other 2021 rule changes worth knowing

  • Card tokenisation is opt-in but mandatory for online merchants: the merchant must request tokenisation; you must approve. Once approved, every subsequent transaction is auto-tokenised.
  • Banks must publish dispute resolution timelines: typically 30 to 90 days. Most banks do better.
  • Banks must provide a toll-free grievance channel: 24×7. The numbers are on every statement.
  • Banks must share transaction data with the RBI's Centralised Fraud Registry: this helps detect patterns across banks.

What you should do as a cardholder

  1. Approve tokenisation at every merchant where you shop regularly. It's faster checkout and safer.
  2. Set transaction alerts for every transaction, not just above ₹500. Most banks let you toggle "alert for every transaction" in the app.
  3. Hotlist immediately on loss or theft. The 3-day zero-liability window starts at the time you reasonably discovered the loss — proving the timeline is easier if you hotlisted within 24 hours.
  4. File disputes in writing. A verbal complaint over the phone is logged, but a written dispute (in-app or email) creates a record. The record matters if you escalate.
  5. Check monthly statements against your own records. A common fraud pattern is small transactions (₹200–₹500) at unfamiliar merchants. They're easy to miss in a 50-transaction statement.

The bottom line

The RBI's 2021 rules give you strong baseline protection — tokenisation against merchant breaches, zero liability for prompt-disclosed fraud, alerts for every transaction. Use them. The single biggest improvement any Indian cardholder can make is to enable alerts for every transaction, regardless of amount, and review the statement weekly. Fraud that is detected within 24 hours has a near-100% reversal rate. Fraud detected after 30 days has a 50–60% reversal rate.

Share: