The Reserve Bank of India (RBI) has announced that new directions regarding digital payment authentication will come into force from April 1, 2026. According to an official notification, all Payment System Providers and Participants—including banks and non-bank entities—must ensure full compliance with these directions by the deadline, unless specifically stated otherwise.
### Enhanced Authentication Measures for Digital Payments
Currently, most digital transactions in India rely on SMS-based One-Time Passwords (OTPs) as the second factor of authentication. However, with the rapid evolution of technology and the increasing sophistication of cyber threats, the RBI now mandates that all digital payment transactions incorporate at least two distinct authentication factors. Importantly, at least one of these factors must be dynamic—that is, unique to each transaction—to help prevent fraud and unauthorized access.
### Applicability of New Directions
The new directions apply to all domestic digital transactions. Additionally, special provisions have been made regarding cross-border card-not-present (CNP) transactions. For international transactions where the physical card is not used, issuers are required to implement suitable verification mechanisms by October 1, 2026.
### Background and Stakeholder Consultation
The RBI had earlier issued draft directions on Alternative Authentication Mechanisms for Digital Payment Transactions on July 31, 2024. Furthermore, draft directions on the introduction of Additional Factor of Authentication (AFA) in cross-border CNP transactions were released on February 7, 2025. These drafts were shared for stakeholder comments, and feedback from the public has been examined and suitably incorporated into the final directions.
### Key Highlights of the Framework
– **Encouragement of New Authentication Factors:** The framework promotes the adoption of new factors of authentication by leveraging the latest technological advancements. However, it does **not** call for discontinuing SMS-based OTP as an authentication factor.
– **Risk-Based Additional Checks:** Issuers are enabled to adopt additional risk-based checks beyond the mandatory two-factor authentication, based on the fraud risk perception associated with the underlying transaction.
– **Interoperability and Open Access:** The directions emphasize facilitating interoperability and open access to authentication technologies.
– **Clear Responsibility for Issuers:** The framework delineates the responsibilities of card issuers clearly.
– **Mandatory Validation for Cross-Border CNP Transactions:** Card issuers must validate the Additional Factor of Authentication in non-recurring cross-border CNP transactions whenever such validation is requested by the overseas merchant or acquirer.
These measures are aimed at strengthening the security of digital payments in India while promoting innovation and flexibility in authentication methods. Payment providers and participants are encouraged to align their systems with these guidelines well before the implementation deadline to ensure compliance and enhanced security.
https://www.mid-day.com/news/india-news/article/rbi-issues-new-guidelines-for-digital-payment-security-in-india-check-complete-details-here-23595755
