Token Gateway Solution

RBI has mandated that Merchants, Payment Gateways(PGs) and Payment Aggregators(PAs) can no longer store sensitive card data in their own infrastructure in order to prevent data exposures and enhance card transaction security. Further, RBI has permitted card networks to offer card tokenization technology required to support a saved card payment experience for your customers.  Therefore, merchants that currently leverage saved card payments for faster and easier checkouts need to partner with card networks directly or indirectly in order to ensure business continuity of saved card payments for existing and future customers. 


With the above context, Paytm has partnered with all major card networks to provide a comprehensive and single integration solution to our merchants. Paytm’s Token Gateway Solution is applicable for PCI compliant merchants that currently store card data in their infrastructure as well as non-PCI compliant merchants that have partnered with a PA/PG to support saved card payments for their customers.

What is Tokenization?

The technology behind the Paytm Token Gateway solution is Card on File Tokenization. Card on File Tokenization encrypts the sensitive card details into an opaque Token that is not bound to any device but is mapped to a merchant. This token can be used across any of the merchant’s platforms ( Web, MWeb, Android, IOS etc) for future card transactions. Thus eliminating the need for merchants, PGs and PAs to store sensitive card data and pass the card number through various entities involved in processing a card transaction. 


As per RBI guidelines tokenization of a card can be performed only with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by the card issuer. If card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT, then AFA validation may be combined. The sensitive card data is secured in the network's vault and a reference to the token number aka Paytm’s Token Index Number is shared with the merchant. The Token Index Number is used to fetch the full token PAN and transaction-specific cryptogram in real-time required to process a tokenized card transaction.

Overview of Card On File Tokenization

  1. Cardholder consents to save a card on your merchant app/ website.
  2. You initiate the card transaction with Paytm along with user consent information. The saved card consent is stored by Paytm TG upon successful authentication of the transaction. Here authentication simply means OTP verification success with the end customer.
  3. Paytm TG sends a tokenization request to the network along with a conditional authentication identifer for successful verification of 2FA. 
  4. Network creates a token after an optional approval from the issuer and returns response to Paytm TG.
  5. Paytm TG returns a unique Token Index Number(TIN) corresponding to your tokenization request.
  6. Paytm TG provides the last 4 digits of the card, issuing bank and other token related attributes required for the purpose of rendering and processing a tokenized saved card upon successful tokenization with the network.
  7. At the time of initiating a transaction, merchants can initiate the transaction with Paytm PA using only the Token Index Number.
  8. Paytm TG will fetch the completed Token PAN Number and the transaction-specific cryptogram from the card schemes in real-time and route the transaction with one of your accepted acquirer banks. 
  9. Token, Token cryptogram and Token Expiry flows to card schemes via the acquirer bank. Card schemes replace the same with actual card details and share it with the issuing bank for the purpose of transaction processing.

Ways to Tokenize Cards

  1. Customer saves card with a transaction: Card Tokenization can be performed in- line with transaction when customer provides explicit consent to save/tokenize the card during a first-time transaction and keys in the complete PAN details. In case the card PAN is already available with the merchant then only the consent needs to be captured from the customer. Once the in-line transaction has been authenticated successfully i.e. OTP verification is complete, the merchant can raise the request to tokenize the card to the Token Gateway. No separate OTP will be generated for tokenization.
  2. Customer saves card without transaction: Card Tokenization can also be done separately when a customer wants to store card credentials on your app or website without making a payment for the service. Here too, you have to create a penny drop workflow wherein a transaction is done for INR 1.00. After payment and tokenization is completed, the collected penny can be refunded to the user.

Integration Steps

This section explains the integration steps to save a New Card during the payment and retrieve an existing Saved card from the Network Vault via Paytm Token Gateway on the merchant's app/website.


Before you begin the integration, make sure you follow the steps below:

  1. Create an account on Paytm as a merchant. Click how to create an account
    Note: Save the Paytm MID and merchant key generated in the above step.
  2. Contact Paytm’s onboarding team or your KAM to place the activation request for Paytm Token Gateway Solution on an existing  Paytm MID/s.

Types of Integration

Paytm TG supports tokenization on any number of PAs including Paytm PA. Merchants can flexibly choose a preferred integration depending on their current and future integrations plans with Paytm PA. First integration is recommended for merchants with multiple PAs while second is recommended for custom checkout merchants with only Paytm PA processing capabilities. There are no integration changes expected in Paytm Managed Checkouts.

Lifecycle Management of tokens

As mandated by RBI, you need to provide a workflow wherein a customer can see his saved cards and delete the same. Additionally some networks have also provided a workflow of deactivate/activate that will be provided at a later point of time by Paytm.

Fetch all saved cards

All saved cards of the user can be fetched using Fetch Saved Card API. Some details of this API are as follows:

  1. Via this API, merchants will be able to fetch the tokenized cards as well as saved cards stored in the current vault against the user. 
  2. Along with unique identifiers of cards and tokens, this will consists of token attributes (token expiry, token reference number), card attributes (Issuing bank, Credit/Debit card, International Card etc) along with other details.

Delete an existing saved card

  1. You can use the Modify Token Status to update the status of the token. Today we only support Delete operations on the tokens that will be extended in the future. 
  2. Post request validations, we will request the same to card scheme and communicate the status back in response.
  3. If Notify Token webhook is configured, updated status will be communicated via the same.
  4. Using the token index number received in Fetch Saved Card API, you can use the Get Token Info API to get latest token status as well.

Refunds and chargeback

There is no change as these flows of agnostic of card details and functions on original transaction IDs.

Note: In the event of loss of mobile device or any other such event which may expose card tokens to unauthorised usage, the customer should reach to the card issuing bank to block card tokens.