News
RBI Issues Directions for Authentication Mechanisms
The Reserve Bank of India has issued the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, mandating two-factor authentication for all digital payments. These directions, which also cover specific cross-border card transactions, must be complied with by all Payment System Providers and Participants by April 1, 2026.
Under the framework, all digital payment transactions (except card-present transactions) must include at least one dynamic authentication factor that is unique to each transaction. Further, compromise of one factor must not undermine the reliability of the other. Depending on the risk profile of a transaction, issuers may implement additional security checks beyond the minimum 2FA requirement. Acceptable authentication methods include passwords, SMS-based OTPs, passphrases, PINs, card hardware, software tokens, fingerprints, or other biometric identifiers.
Issuers are accountable for ensuring the robustness and integrity of authentication mechanisms and for compliance with the Digital Personal Data Protection Act, 2023. In case of non-compliance, issuers must compensate customers in full for any loss, without demur.
By October 1, 2026, issuers are further required to:
- Implement a mechanism to validate non-recurring cross-border card-not-present (CNP) transactions initiated by overseas merchants or acquirers; and
- Register their Bank Identification Numbers (BINs) with card networks.
They must also put in place a risk-based framework for handling all cross-border CNP transactions.
As clarified through earlier circulars, certain transactions remain exempt from the mandate. These include small-value contactless card payments, recurring transactions under e-mandates, select prepaid instruments (such as PPI-MTS and gift PPIs), NETC transactions, small-value offline digital payments, and certain travel bookings.
Notably, the provisions relating to customer consent and transaction alerts, which were present in the draft issued in July 2024, have been omitted in the final directions.
