RBI Mandates Stronger Authentication for Digital Payments

• 26 Sep 2025

On 25th September 2025, the Reserve Bank of India (RBI) issued new directions to enhance the security of digital payment transactions, emphasizing multi-factor authentication and consumer protection. These measures will come into effect from 1st April 2026.

Key Points

• Modernizing Authentication: The RBI’s “Authentication Mechanisms for Digital Payment Transactions” Directions, 2025, aim to replace reliance on SMS-based OTPs with more robust, multi-factor authentication.
• Two-Factor Requirement: All digital payments must be secured with at least two distinct factors of authentication, with at least one factor being dynamic and unique for each transaction to prevent fraud.
• Coverage: Directions apply to all payment system providers and participants, including banks and non-bank entities, for all domestic transactions and cross-border card-not-present transactions.
• Cross-Border Security: For international card-not-present transactions, issuers must implement mechanisms by 1st October 2026 to validate such transactions and protect consumers shopping globally.
• Risk-Based Approach: The framework encourages issuers to evaluate transactions based on behavior patterns, location, and other contextual data to determine if additional authentication is needed.
• Consumer Protection: Issuers bear full responsibility for compensating customers for losses arising from non-compliance with these directions.
• Data Privacy Alignment: The directions align with the Digital Personal Data Protection Act, 2023, reinforcing protection of personal data alongside payment security.
• Future Impact: These measures are designed to make India’s digital payment ecosystem safer, more resilient, and trustworthy for millions of users nationwide.