The Reserve Bank of India (RBI) has issued the final framework governing authentication mechanisms for digital payment transactions, marking a significant shift in the regulatory landscape for payment security. The Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, released on 25 September 2025, consolidate and update the rules around digital payment authentication after two rounds of public consultation. These directions will come into force from 1 April 2026, unless a specific provision carries a different compliance date.
At its core, the framework reiterates that all domestic digital payment transactions must be secured by at least two distinct factors of authentication (2FA), unless specifically exempted. While the digital payments ecosystem has so far relied heavily on SMS-based one-time passwords (OTPs) as the second factor, the central bank has clarified that it is not mandating a discontinuation of SMS OTPs. Instead, the framework seeks to encourage banks and payment providers to explore and adopt new authentication factors that leverage technological advancements, such as device-based biometrics, software tokens or behavioural analytics. Importantly, at least one of the authentication factors must be dynamic and unique to each transaction, so that even if one factor is compromised, the overall integrity of the transaction remains intact.
Another key feature of the framework is the push towards interoperability and open access. RBI has directed payment system providers to ensure that authentication and tokenisation services are accessible across devices, applications and operating environments, preventing fragmentation and promoting wider adoption of secure methods. This provision is expected to improve user convenience while maintaining a consistent security standard across the ecosystem.
The directions also introduce a risk-based approach to authentication. Issuers have been permitted to apply additional checks beyond the minimum two factors, depending on their assessment of fraud risk in a given transaction. These checks could draw upon behavioural or contextual parameters such as the location of the transaction, user’s past behaviour, device attributes or transaction history. For high-risk cases, issuers may even use DigiLocker as a platform for customer notification and confirmation. This flexibility is designed to help issuers balance security with customer experience while ensuring that higher-risk transactions face tighter scrutiny.
A notable aspect of the new rules is the delineation of issuer responsibility. RBI has made it clear that issuers must ensure the robustness of their authentication systems before deployment. If a customer suffers a loss due to non-compliance with these directions, the issuer will be required to compensate the customer in full, without demur. In addition, issuers must ensure adherence to the provisions of the Digital Personal Data Protection Act, 2023, while implementing these mechanisms.
The new framework builds upon two earlier draft directions. The first, issued on 31 July 2024, sought feedback on alternative authentication mechanisms for digital payments, while the second, issued on 7 February 2025, dealt with introducing additional factor authentication (AFA) for cross-border card-not-present (CNP) transactions. RBI has now incorporated feedback from stakeholders to finalise the rules.
While the directions primarily cover domestic transactions, they also address the rising concerns around cross-border payments. From 1 October 2026, card issuers will be required to put in place systems to validate non-recurring cross-border CNP transactions whenever an overseas merchant or acquirer requests such authentication. Issuers will also need to register their Bank Identification Numbers (BINs) with card networks and institute a risk-based mechanism to manage all cross-border CNP transactions. This requirement reflects RBI’s intent to extend a similar degree of security assurance to international online transactions conducted using India-issued cards.
Certain exemptions from 2FA that are already in place will continue under the new framework. These include small-value contactless card transactions, recurring payments beyond the first transaction under the e-mandate system, select prepaid instruments, NETC toll payments, small-value offline digital payments, and travel bookings routed through the International Air Transport Association (IATA) system using commercial or corporate cards.
In a bid to simplify the regulatory landscape, the new directions also repeal a series of older circulars and instructions on card security and authentication issued since 2009. These included measures related to card-not-present transactions, risk mitigation for interactive voice response (IVR) transactions, and relaxations for small-ticket card payments. By consolidating and replacing these earlier notifications, RBI aims to provide clarity and a single point of reference for the industry.
By allowing innovation while retaining the safeguard of two-factor authentication, the RBI framework attempts to strike a balance between customer convenience and security. With a compliance deadline of April 2026, banks, card issuers and payment service providers now face the challenge of upgrading their systems to align with the new rules, while preparing for additional obligations in the cross-border domain by October 2026.
