RBI tokenisation 2026 — what the saved-card framework actually does to your flight bookings on MakeMyTrip, IndiGo and others
By Vihaan Patel (Vihaan Patel covers the intersection of travel and digital payments — Indian OTAs, airline-direct booking flows, UPI vs credit-card surcharges, RBI tokenisation rules and the booking-funnel mechanics that quietly cost (or save) you money.) · Published · 10 min read
The RBI's card tokenisation framework, mandatory from July 2022 and continuously expanded since, has quietly transformed how Indian flight booking payments work. Merchants like MakeMyTrip, IndiGo and Air India no longer store your full card number — they store a network-issued token. This is the structured 2026 explainer of what tokenisation is, why it exists, what it changes for the consumer and the failure modes to watch for.
What this article covers
What card tokenisation actually is in plain English
The phased rollout — what changed from 2021 to 2026
What changes for the consumer at booking time
Security implications — what tokenisation does and does not protect against
Re-tokenisation when your card is renewed or replaced
Tokenisation and recurring travel subscriptions
Edge cases — international cards, virtual cards, and corporate cards
What to expect from tokenisation in 2027 and beyond
Frequently asked questions
When did RBI's card tokenisation become mandatory for Indian merchants?
The RBI's card-on-file tokenisation framework was first directed in March 2021, with an initial deadline of January 2022. After industry feedback, the deadline was extended to July 2022 and then to October 2022 for full enforcement. Through Q4 2022 and 2023, merchants like MakeMyTrip, IndiGo, Air India and the major Indian OTAs progressively re-tokenised their saved-card vaults. By early 2024 the framework was fully operational across the major Indian payment ecosystem and merchants could no longer store full Primary Account Numbers (PAN).
Does tokenisation mean my saved cards on MakeMyTrip are safer in 2026?
Yes, materially. Pre-tokenisation, MakeMyTrip and similar merchants stored your full 16-digit card number, which created a single point of compromise. If their database was breached, full card details would leak. Post-tokenisation, MakeMyTrip stores only a network-issued token that is useless outside the card network's mapping system. A future breach of MakeMyTrip's customer database would expose tokens but not actual card details. This is a structural security improvement that protects against the kind of breach scenarios that have affected Indian e-commerce in earlier years.
What happens to my saved cards on flight booking sites when my card is renewed?
When your card is renewed with the same number but updated expiry (typical at end of card validity period), the saved-card tokens at MakeMyTrip, IndiGo and other merchants typically update automatically via the network's token-lifecycle-management service. You don't need to do anything. When your card is replaced with a new number (lost card, upgrade to new product), the existing tokens become invalid and you'll need to re-save the new card on each merchant the next time you book. The merchants handle this gracefully with a re-save prompt during checkout.
Do I still need to enter OTP for saved-card flight bookings on IndiGo or Air India?
Yes. Tokenisation removes the need to re-enter the full 16-digit card number but does not remove the Additional Factor of Authentication (AFA) requirement. RBI rules require OTP (or other AFA mechanism like biometric authentication via issuer app) for online card transactions over ₹2,000. So a saved card on goindigo.in or airindia.com in 2026 still requires CVV plus OTP for each booking. The saved-card-via-token flow is faster because you don't need to type the 16-digit number, but the authentication step is preserved for security.
Can I see and manage which Indian flight booking sites have saved my card?
Yes, increasingly. The RBI's CoFT (Card-on-File Token) service rolled out through issuer banks in 2024-2026 allows you to see which merchants have your card tokens, via your bank's mobile app. HDFC, Axis and ICICI have full CoFT management interfaces in 2026 where you can view tokens at MakeMyTrip, Yatra, IndiGo, Air India and other merchants, and revoke any token you no longer want. This is still emerging functionality — not all issuers support it for all merchants — but it is the direction the framework is heading.
Does tokenisation apply to my international card used on Indian flight booking sites?
No, the RBI tokenisation framework applies to Indian-issued cards regardless of where used. Foreign-issued cards (HSBC UK, Chase USA, etc.) used at Indian merchants are not tokenised under the Indian framework. They may be tokenised under the card issuer's own framework or under EMVCo standards, but this is the issuer's choice rather than an Indian regulatory requirement. For NRIs using foreign-bank cards on MakeMyTrip or IndiGo, the saved-card experience may differ from the Indian-card tokenised experience.
What is the difference between RBI tokenisation and 3D-Secure?
They solve different problems. Tokenisation protects the card data at rest at the merchant — what the merchant stores in their database. 3D-Secure protects the card during a transaction by adding an authentication step (typically OTP) before the transaction completes. Tokenisation reduces the impact of merchant-side breach. 3D-Secure reduces the risk of unauthorised transactions even if the card details are known. Both apply to Indian flight booking payments in 2026 — tokenisation for saved cards, 3D-Secure for transaction authentication. They are complementary safety mechanisms.
Can I opt out of saving my card as a token on Indian flight booking sites?
Yes. Every Indian merchant supporting saved-card functionality in 2026 also offers a 'do not save card' option at the payment page. If you select this, the merchant processes the transaction with your card details but does not save the token for future use. For one-time bookings on merchants you don't expect to use again, this is a reasonable choice. For frequent-use merchants, the saved-token flow is meaningfully faster and the security risk is materially lower than pre-tokenisation, so saving the card is generally a good trade-off in 2026.