The Reserve Bank of India (RBI) on Thursday rolled out a new framework for authenticating digital payments beyond two-factor authentication (2FA), which will come into force from 1 April 2026.<\/p>\n
The new rules are part of the Reserve Bank of India<\/a> (Authentication Mechanisms for Digital Payment Transactions<\/a>) Directions, 2025, announced today.<\/p>\n New guidelines issued<\/p>\n I. Card issuers are encouraged to introduce new factors of authentication<\/a> by leveraging technological advancements. However, it does NOT mean that SMS-based OTP as an authentication tool would get discontinued.<\/p>\n II. The latest direction also enable card issuers to embrace additional risk-based checks beyond the minimum two-factor authentication. This could be based on the fraud risk perception of the underlying transaction.<\/p>\n III. The directions also emphasise facilitating interoperability<\/a> and enabling open access to technology. As a result, system providers will offer an authentication or tokenisation service that is accessible to all the applications\/token requestors functioning in that operating environment.<\/p>\n IV. The RBI also delineates the responsibility of issuers.<\/p>\n V. Additionally, the central bank mandates card issuers to validate AFA<\/a> in non-recurring cross-border CNP (card-not-present) transactions whenever such a request is raised by the overseas merchant or acquirer.<\/p>\n Principles for authenticating digital payments\u00a0<\/p>\n 1. Minimum two<\/strong>: There should be a minimum of two factors of authentication.<\/p>\n 2. Dynamic<\/strong>: At least one of the factors of authentication is dynamically created or proven.<\/p>\n 3. Robust<\/strong>: The factor of authentication will be such that the compromise of one factor does not affect the reliability of the other.<\/p>\n Stakeholders’ suggestions incorporated<\/p>\n Last year, in July, the RBI issued draft directions<\/a> on Alternative Authentication Mechanisms for Digital Payment Transactions, followed by draft directions on the introduction of Additional Factor of Authentication (AFA) in cross-border <\/a>CNP transactions in February this year to seek comments from stakeholders.<\/p>\n The views of the public were examined and incorporated in the directions which were issued today.<\/p>\n However, these measures outlined above will not be implemented in cross-border digital payments.<\/p>\n Meanwhile, the RBI has instructed card issuers to put in place a mechanism to validate non-recurring, cross-border CNP transactions by October 1 next year, where a request for authentication<\/a> is raised by an overseas merchant or overseas acquirer.<\/p>\n To ensure compliance, card issuers will register their Bank Identification Numbers (BINs) with card networks.<\/p>\n