The Reserve Bank of India’s recent push for card-on-file tokenisation attempts to solve for the privacy and data security risk in India’s payments sector. This article argues that while the tokenisation framework is motivated by necessary considerations, it is a sub-optimal method to solve for such risk as it does not meaningfully engage with the privacy-related dimensions of financial data protection. The optimal method to address such risk, we argue, is the enactment of a comprehensive data protection law, which encodes guiding principles recognised in data protection legisprudence across jurisdictions. To substantiate this, the article analyses select aspects of data protection frameworks and demonstrates their value in creating privacy-preserving financial services in India. While the (Indian) Data Protection Bill, 2021 (‘DP Bill’)⁺ may serve as a useful template for such a framework, the question of whether the provisions of the DP Bill meet this threshold, is beyond the scope of this article. The observations of this article are relevant for FinTech firms, sectoral regulators in India, and scholars of privacy law and financial regulation.