The Reserve Bank of India has issued new directions setting principles for authentication mechanisms used across India’s digital payment chain, aiming to support alternatives to SMS-based one-time passwords while retaining the baseline requirement for two-factor authentication. The rules apply to all payment system providers and participants, including banks and non-banks, for domestic digital payment transactions, and set out additional instructions for certain cross-border card-not-present transactions involving cards issued in India. The directions require at least two distinct factors of authentication unless an existing exemption applies, and for transactions other than card-present transactions require at least one dynamically created or proven factor unique to the transaction. They also introduce interoperability or open access expectations for authentication or tokenisation services across applications and token requestors, allow issuers to apply a risk-based approach with additional checks beyond two-factor authentication, and place responsibility on issuers to ensure robustness before deployment and to compensate customers in full for losses arising from non-compliant transactions; issuers must also ensure adherence to the Digital Personal Data Protection Act, 2023. Existing exemptions include small-value contactless card transactions, recurring e-mandate transactions after the first, select prepaid instruments, NETC transactions, small-value offline digital payments, and certain travel bookings via Global Distribution Systems or IATA using commercial or corporate cards, and a set of prior card security circulars is repealed. Entities must ensure compliance with the directions by April 01, 2026, unless a provision specifies otherwise. For cross-border activity, card issuers must by October 01, 2026 implement a mechanism to validate non-recurring cross-border card-not-present transactions where authentication is requested by an overseas merchant or acquirer, including registering their Bank Identification Numbers with card networks, and put in place a risk-based mechanism for all cross-border card-not-present transactions.
Reserve Bank of India 2025-09-25
Reserve Bank of India issues new directions on two-factor authentication for domestic digital payments with April 2026 compliance deadline
The Reserve Bank of India has issued new directions for authentication in India's digital payment chain, emphasizing alternatives to SMS-based one-time passwords while maintaining two-factor authentication. The rules apply to all payment system providers for domestic transactions and include additional instructions for certain cross-border card-not-present transactions. Issuers must ensure compliance with the Digital Personal Data Protection Act, 2023, and compensate customers for losses from non-compliant transactions.