The Reserve Bank of India (RBI) is taking a major step to make your digital payments safer. They’re introducing new, stricter risk-based checks that go beyond the usual two-factor authentication, using the latest technology to protect your money.
These new guidelines, officially called the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, will become mandatory starting April 1, 2026.
The rules apply to everyone involved in digital payments – from payment providers and banks to other financial institutions – covering all domestic online transactions.
Under these new directions, payment issuers must implement extra risk-based checks. These checks will be customized based on how risky a particular transaction appears to be.
The RBI has also emphasized the need for these systems to be interoperable and to allow open access to new technologies.
A key change is that card issuers will now be required to validate an Additional Factor of Authentication (AFA) for non-recurring international ‘Card Not Present’ (CNP) transactions, especially if the overseas merchant or acquiring bank requests it.
Currently, every digital payment in India requires two factors of authentication. While the RBI hasn’t specified which factors to use, the most common additional method has been the SMS-based One Time Password (OTP).
These new guidelines lay out clear principles that everyone in the payment processing chain must follow when implementing any authentication method.
Even though the primary focus is on domestic transactions, these directions also include vital instructions for certain international card transactions, aiming to provide similar security for Indian cardholders making online purchases abroad.
The RBI clarified, “For digital payment transactions that aren’t ‘card present’ – meaning you’re not physically swiping your card – at least one authentication factor must be created or verified dynamically. This means the proof of possession sent with the transaction must be unique to that specific transaction.”
Furthermore, the authentication factors must be designed so that if one is compromised, the security of the other factor remains unaffected.
“System Providers and System Participants are expected to offer authentication or tokenization services that are readily available to all applications and token requestors within their operating environment, across all possible use cases, channels, or token storage methods,” the RBI stated.
Issuers are encouraged to use their own internal risk management policies to identify transactions that might need extra scrutiny. This could involve analyzing factors like where the transaction is happening, typical user spending habits, device information, and past transaction history.
If a transaction is flagged as high-risk, additional checks beyond the standard two-factor authentication might be applied. The regulator also suggested that issuers could leverage platforms like DigiLocker for notifying and confirming these high-risk transactions.
“Before deploying any authentication mechanism, an issuer must ensure its robustness and integrity,” the RBI stressed.
The RBI also confirmed, “Should any loss occur from transactions that don’t comply with these new directions, the issuer is obligated to fully compensate the customer without any argument.”
Finally, issuers must also adhere to the requirements of the Digital Personal Data Protection Act, 2023.
These directions follow previous draft guidelines on Alternative Authentication Mechanisms (July 31, 2024) and Additional Factor of Authentication in cross-border CNP transactions (February 07, 2025), with public feedback being incorporated into the final version.
The final guidelines were shaped by valuable input received from the public and various stakeholders.