RBI issues directions for digital payment transaction authentication mechanism
The Reserve Bank of India (RBI) has issued new guidelines for digital payment authentication, effective April 1, 2026, mandating two-factor authentication for all transactions. These guidelines emphasize dynamic authentication factors, risk-based ...
By Sneha Kulkarni, ET Online | Updated:
ET Online
The Reserve Bank of India (RBI) has released its guidelines on the authentication mechanism framework for digital payment transaction authentication. These directions will come into effect from April 1, 2026, unless stated otherwise for specific provisions, the RBI says in a statement.
In its statement, the Reserve Bank has highlighted the key areas such as authentication factors, mandatory two-factor authentication, risk-based checks, validation of additional authentication in cross-border transactions, promoting interoperability, and the responsibilities of issuers.
As per the statement from the RBI, the directions, inter alia, focus on the following:
The RBI says that all digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor.
Govt extends CGHS medical benefits to dependent transgender children and siblings; check details
RBI says that all digital payment transactions shall be authenticated by at least two distinct factors of authentication as defined in Paragraph-5(f), unless exempted.
At least one of the factors should be dynamic, says RBI
The central bank says that be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.
Sanjay Tripathy, CEO & Co-Founder, BRISKPE, a cross-border payments platform, says, "RBI by mandating risk-based checks in its latest directions has formalized a framework that encourages a variety of authentication mechanisms beyond just SMS-based OTPs. The specific requirement for validating an Additional Factor of Authentication (AFA) in cross-border card-not-present transactions is a critical step to increase trust and reduce risks, which will ultimately benefit both businesses and their customers. It provides a clear, uniform standard that aligns with global best practices and will strengthen India's position in the international digital payments landscape. The move will foster a more robust and compliant ecosystem, ensuring smoother and more secure cross-border transactions for all.”
The RBI says that a risk-based mechanism for handling all cross-border CNP transactions shall also be put in place by card issuers by October 01, 2026.
“The directions outlined above are not applicable to cross-border digital payment transactions. However, card issuers shall, by October 01, 2026, put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (BINs) with card networks.”
In its statement, the Reserve Bank has highlighted the key areas such as authentication factors, mandatory two-factor authentication, risk-based checks, validation of additional authentication in cross-border transactions, promoting interoperability, and the responsibilities of issuers.
As per the statement from the RBI, the directions, inter alia, focus on the following:
The RBI says that all digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor.
Factor for digital payment transaction authentication
The central bank says that the factors of authentication can be from ‘something the user has’, ‘something the user knows’ or ‘something the user is’ and may comprise, inter-alia, password, SMS-based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar-based).Govt extends CGHS medical benefits to dependent transgender children and siblings; check details
RBI says that all digital payment transactions shall be authenticated by at least two distinct factors of authentication as defined in Paragraph-5(f), unless exempted.
At least one of the factors should be dynamic, says RBI
The central bank says that be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.
RBI’s risk-based checks for digital payment transactions
The RBI says that issuers may, in line with their internal risk management policies, identify transactions for evaluation against behavioural / contextual parameters such as transaction location, user behaviour patterns, device attributes, historical transaction profile, etc.ADVERTISEMENT
According to the RBI’s Directions issued on September 25, 2025, “Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.”Sanjay Tripathy, CEO & Co-Founder, BRISKPE, a cross-border payments platform, says, "RBI by mandating risk-based checks in its latest directions has formalized a framework that encourages a variety of authentication mechanisms beyond just SMS-based OTPs. The specific requirement for validating an Additional Factor of Authentication (AFA) in cross-border card-not-present transactions is a critical step to increase trust and reduce risks, which will ultimately benefit both businesses and their customers. It provides a clear, uniform standard that aligns with global best practices and will strengthen India's position in the international digital payments landscape. The move will foster a more robust and compliant ecosystem, ensuring smoother and more secure cross-border transactions for all.”
ADVERTISEMENT
RBI’s instructions for cross-border transactions
The RBI says that a risk-based mechanism for handling all cross-border CNP transactions shall also be put in place by card issuers by October 01, 2026.“The directions outlined above are not applicable to cross-border digital payment transactions. However, card issuers shall, by October 01, 2026, put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (BINs) with card networks.”
Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
ADVERTISEMENT
