In line with its earlier announcements, the RBI has now formalised the move through the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025
The directions will come into force from 1 April 2026, an official RBI notification said. File Pic
The Reserve Bank of India (RBI) on Thursday announced comprehensive new directions aimed at significantly strengthening the security of digital transactions.
In line with its earlier announcements, the RBI has now formalised the move through the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025.
The directions will come into force from 1 April 2026, an official notification said.
“All Payment System Providers and Participants, including both banks and non-bank entities, must ensure full compliance with these directions by the deadline, unless specifically stated otherwise,” the RBI notification said.
At present, most digital transactions in India depend on SMS-based One-Time Passwords (OTPs) as the second factor of authentication. However, given the rapid evolution of technology and the increasing sophistication of cyber threats, the RBI now mandates that all digital payment transactions must incorporate at least two distinct authentication factors, with at least one being dynamic -- unique to each transaction -- to prevent fraud and unauthorised access.
The new directions apply to all domestic digital transactions, with special provisions for cross-border card-not-present transactions. For international transactions where the physical card is not used, issuers must implement suitable verification mechanisms by October 1, 2026.
"RBI had issued draft directions on Alternative Authentication Mechanisms for Digital Payment Transactions on July 31, 2024 and draft directions on introduction of
Additional Factor of Authentication (AFA) in cross-border Card Not Present (CNP) transactions on February 07, 2025, for stakeholder comments, the official notification said.
Key highlights of the framework include-
Feedback from the public has been examined and suitably incorporated in the final directions. The directions, inter alia, focus on the following-
- Encouraging introduction of new factors of authentication by leveraging upon technological advancements. The framework, however, does not call for
discontinuation of SMS based OTP as an authentication factor.
- Enabling issuers to adopt additional risk-based checks beyond the minimum two-factor authentication based on the fraud risk perception of the underlying
transaction.
- Facilitating interoperability and open access to technology
- Delineating the responsibility of Issuers.
- Mandating card issuers to validate AFA in non-recurring cross-border CNP transactions whenever such a request is raised by the overseas merchant or acquirer.
Subscribe today by clicking the link and stay updated with the latest news!" Click here!
