What are the RBI / e-commerce compliance rules for Indian Magento stores?

Three layers to comply with:

1. RBI tokenisation (Sept 2022+) — cards stored on your end must be tokenised via Network Tokens API (Razorpay / Paytm handle this in their gateway flows). DON’T store raw PAN.
2. Consumer Protection (E-Commerce) Rules 2020 — mandatory: country of origin labels on products, grievance officer contact, return policy ≥ 30 days for damaged, no flash sales without 7-day notice.
3. GDPR-equivalent: India’s DPDP Act 2023 (effective phased rollout 2024+) requires consent flows, data-fiduciary registration above thresholds, breach notification 72h. Configure cookie consent + privacy-policy versioning.