Tokenisation is currently available on staging only. Production GA targeted for {TOKENIZATION_GA_TARGET_QUARTER}. The beta endpoint contracts below are subject to change before GA.
SabPaisa supports card-on-file (CoF) tokenisation in compliance with the Reserve Bank of India Tokenisation – Card Transactions framework (DPSS.CO.PD No.1485/02.14.003/2019-20 and subsequent amendments).
What this means for merchants today
Whether or not you use tokenisation, the following applies to every merchant accepting cards through SabPaisa.
Do NOTStore full card data on your servers
You must not store the full card number (PAN), CVV, expiry date, or full magnetic-stripe / chip / track data on your servers or databases. Mandated by RBI PA-PG Guidelines §7.4 and §10.4.
May StoreLast 4 digits + issuer name (display only)
You may store the last 4 digits of the PAN and the card issuer name — for display purposes only (e.g. “Visa ending 4242”).
One-time payments
Use SabPaisa's hosted checkout (POST /api/v2/payments). Card data is collected on SabPaisa's PCI-DSS environment and never touches your servers. You remain PCI-DSS SAQ A.
Recurring billing or save-card flows
Tokenisation is the only RBI-compliant approach. See Tokenisation Beta below.
What is supported in production today
| Use case | Supported approach |
|---|---|
| One-time card payment | Hosted Checkout — full PCI scope handled by SabPaisa |
| 3D Secure 2.x authentication | Enforced automatically by hosted checkout |
| Refund to original card | Yes — via POST /api/v2/refunds |
| Subscription / recurring | Contact your account manager for current mandate-based options |
| “Save card for next time” UX | Not yet — available with tokenisation GA |
| Network tokens (Visa / Mastercard / RuPay) | In beta — see below |
Tokenisation Beta (staging only)
What's supported in the beta
- •Network tokens via
{SUPPORTED_NETWORKS_LIST_FROM_PLATFORM} - •CoFT (Card-on-File Tokenisation) per RBI framework — tokens are issued by the card network, not by SabPaisa
- •Customer consent + Additional Factor of Authentication (AFA) collected at token creation
- •Per-merchant token vault — tokens are not transferable across merchants (RBI requirement)
- •Token lifecycle: create, fetch metadata, delete
Beta API endpoints (staging only)
Subject to change before GA. Verify the latest contracts when you join the beta.
Create a token
Tokens are created during a successful payment, with explicit customer consent and AFA.
1POST /api/v2/tokens
2X-Api-Key: your_staging_api_key
3X-Merchant-Id: your_merchant_id
4
5{
6 "paymentId": "sppay_abc123",
7 "consent": {
8 "consentGiven": true,
9 "consentTimestamp": 1717890000,
10 "consentText": "Customer agreed to save card for future use"
11 }
12}Response:
1{
2 "tokenId": "tok_xyz789",
3 "network": "VISA",
4 "lastFourDigits": "4242",
5 "expiryMonth": "12",
6 "expiryYear": "2028",
7 "issuer": "HDFC Bank",
8 "createdAt": "2026-06-09T10:30:00Z"
9}Pay with an existing token
1POST /api/v2/payments
2X-Api-Key: your_staging_api_key
3
4{
5 "merchantId": "YOUR_MERCHANT_ID",
6 "merchantTxnId": "ORDER_001",
7 "amount": 50000,
8 "currency": "INR",
9 "tokenId": "tok_xyz789",
10 "customerName": "Customer Name",
11 "customerEmail": "[email protected]",
12 "customerPhone": "9876543210",
13 "returnUrl": "https://yoursite.com/payment/return",
14 "checksum": "...",
15 "timestamp": 1717890000
16}Customer is still challenged for AFA per RBI rules (CVV + OTP or 3DS challenge).
Fetch token metadata
1GET /api/v2/tokens/{tokenId}
2X-Api-Key: your_staging_api_key
3X-Merchant-Id: your_merchant_idDelete a token
1DELETE /api/v2/tokens/{tokenId}
2X-Api-Key: your_staging_api_key
3X-Merchant-Id: your_merchant_idHow to join the beta
Email [email protected] with:
- •Your merchant ID
- •Your use cases (recurring billing / one-click checkout / etc.)
- •Expected monthly token-creation volume
You will receive staging credentials with tokenisation enabled and updated API contracts.
Roadmap
| Milestone | Target | Status |
|---|---|---|
| Tokenisation staging beta | Done | Available |
| Closed production pilots | {PILOT_TARGET_QUARTER} | Planning |
| General availability | {GA_TARGET_QUARTER} | Planned |
Updates will be posted to the Changelog.
What you should do today
If you handle cards today
Confirm you do not store PAN/CVV/expiry on your servers. If you do, migrate to SabPaisa hosted checkout immediately.
If you need recurring billing
Contact your account manager to discuss mandate-based subscription options available today.
If you have a save-card UX in your roadmap
Defer the merchant-side implementation; raise a beta-access request so you can validate the staging API contracts before your launch.
RBI compliance references
Was this page helpful?