In September 2025, the Reserve Bank of India (RBI) has released ‘Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025’, establishing new guidelines to enhance the security of digital payment transactions across India.
- These directions are issued under Sections 18 and 10(2) of the Payment and Settlement Systems (PSS) Act, 2007 (Act 51 of 2007).
- These directions apply to all Payment System Providers and Participants (banks & non-banks) for domestic digital payment transactions and will come into force on April 1, 2026.
Exam Hints:
- What? Release of ‘Authentication Mechanisms for Digital Payment Transactions Directions, 2025’
- By: RBI
- Effective from: April 1, 2026 (domestic ), CNP cross-border transactions: October 1, 2026
- Applicable to: All Payment System Providers and Participants
- Legal basis: Sections 18 & 10(2) of PSS Act, 2007
- 2-Factor Authentication (2FA): Must include at least one dynamic factor
- Issuer Responsibility: Ensure robust authentication
Key Highlights of RBI’s Direction:
2-Factor (2-F): For digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven.
- The factor of authentication shall be such that compromise of one factor does not affect reliability of the other.
Framework for authentication: The 2F authentication must fall under the three broad categories:
- Something the user knows – password, passphrase, or Personal Identification Number(PIN).
- Something the user has – Automated Teller Machine(ATM) card, smart card.
- Something the user is – biometrics such as fingerprints, facial recognition, or Aadhaar-based verification.
Currently: All digital payment transactions in India must comply with the requirement of two-factor (2F) authentication.
- Although no specific method has been mandated, the ecosystem has largely relied on Short Message Service(SMS)-based One-Time Passwords (OTPs) as the additional factor.
- But with evolving technology and increasing fraud risks, the RBI wants to provide more secure and user friendly alternatives.
Risk Based Approach: RBI advised that issuers may strengthen security by applying additional checks beyond the mandatory two-factor authentication.
- Additionally, financial institutions may use contextual and behavioural checks to strengthen security, such as: transaction location, device details, user behaviour patterns, historical transaction profiles.
- Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.
Issuer Responsibility: An issuer shall ensure the robustness and integrity of the authentication mechanism before deployment.
- If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur.
- Issuers must comply with the provisions of the Digital Personal Data Protection(DPDP) Act, 2023.
Cross-Border (CB) Transaction: The guidelines also address authentication in CB payments, which have been particularly vulnerable to fraud.
- While the rules will not apply to all CB digital transactions, the RBI has directed card issuers to implement risk-based mechanisms for handling cross-border Card-Not-Present (CNP) transactions by October 1, 2026.
About Reserve Bank of India (RBI):
The Reserve Bank of India was established on April 1, 1935 in accordance with the provisions of the RBI Act, 1934. The RBI was nationalised in 1949 under the Banking Regulation Act, 1949. The RBI is governed by a central board of directors, which is appointed by the Government of India (GoI).
Governor – Sanjay Malhotra
Headquarters – Mumbai, Maharashtra
