Reserve Bank of India

In India’s rapidly transforming digital payments landscape, ensuring transaction security remains a top priority. All digital payment transactions are currently required to comply with the norm of two-factor authentication (2FA). While regulations do not mandate specific authentication factors, SMS-based One-Time Passwords (OTPs) have become the de facto standard across the ecosystem.

Recognising the need to move beyond traditional methods and utilize emerging technologies, the Reserve Bank of India (RBI) has introduced Authentication Mechanisms for Digital Payment Transactions Directions, 2025.

These Directions aim to provide a flexible, principle-based approach to authentication, allowing ecosystem participants to adopt alternative mechanisms that enhance both security and user experience. While the Directions are focused on domestic digital transactions, they also address select cross-border card transactions to ensure a consistent level of safety for international online payments made using cards issued in India.

Applicability

These Directions shall be applicable to all domestic digital payment transactions, effective from April 01, 2026, unless indicated otherwise for any specific provision herein;

Principles for authentication of digital payment transactions

Payment System Provider/ Payment System Participant shall comply with the following principles in order to deploy the technology and process for authentication of payment instructions:

1. Minimum two factor of authentication
   Mandatory two distinct factors of authentication for all domestic digital payment transactions, which may include:
   • Something the user has
   • Something the user knows
   • Something the user is
   Issuers shall have the flexibility to allow users to choose among different authentication factors, as long as the system remains compliant with the minimum-security standard.
2. At least one of the factors to be dynamic
   To further secure the transaction, at least one of the two authentication factors shall be dynamic i.e., it must be unique to the transaction and verifiable in real time.
3. Robust
   Factor authentication shall be such that compromise of one factor does not affect the reliability of the other factor.

Interoperability/ Open Access

All system providers and participants shall ensure that authentication and tokenisation services are interoperable and accessible across platforms and applications, regardless of device or operating environment. This direction aligns with the RBI’s earlier guidelines on tokenisation of card transactions issued in 2019.

Risk Based Authentication

1. Issuers shall implement risk-based authentication mechanism that factor in:
   • Behavioural analytics,
   • Device fingerprinting,
   • Transaction pattern, and
   • Geolocation.
2. Suspicious or high-risk transactions may require additional authentication beyond the basic two factors.
3. For instance, Digi Locker may be used to notify and confirm high-risk transactions.

Issuer’s Accountability

Issuer:

• Is fully responsible for secure authentic systems
• Must compensate customers for losses occurring due to non-compliance
• Adhere to the provisions of Digital Personal Data Protection Act, 2023.

Specific Guidelines for Cross Border Transactions

While these guidelines apply to domestic transaction, Reserve Bank of India has issued specific instructions for cross border transactions:

• By October 1, 2026, all non-recurring cross-border CNP transactions shall be validated through an authentication mechanism, if requested by the overseas merchant or acquirer.
• Issuers shall register their Bank Identification Numbers (BINs) with card networks to ensure this validation process.
• A risk-based approach must also be developed for cross-border transactions, reinforcing the integrity of international card usage.

Conclusion

The Reserve Bank of India’s new Directions on authentication mechanisms represent a progressive shift in India’s digital payments landscape. By striking a balance between security and user convenience, and by encouraging the use of modern technology, the Reserve Bank of India is laying the groundwork for a more secure, scalable, and inclusive digital payment infrastructure.

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.