Skip to main content

Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions

Reserve Bank of India (RBI) has released draft framework on alternative authentication mechanisms for digital payment transactions.

What is the rationale behind the draft framework?

RBI had mandated additional factor of authentication (AFA) for all transactions undertaken using cards, prepaid instruments and mobile banking channels. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as AFA. While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms. Therefore, RBI has released a draft framework on alternative authentication mechanisms for digital payment transactions to enable the ecosystem to adopt alternative authentication mechanisms. 

To whom shall the framework be applicable?

The framework applies to all Payment System Providers and Payment System Participants (banks and non-banks), who shall comply with the framework within 3 months from the date of issue of the directions.

What is Authentication?

Authentication is a process of validating and confirming the credentials of the customer who is originating the payment instruction.

What is factor of authentication?

Factor of Authentication is any credential input by the customer which is verified for confirming the originator of a payment instruction. The factors of authentication are broadly categorised as –

  • Something the user knows (such as password, passphrase, PIN)
  • Something the user has (such as card hardware or software token)
  • Something the user is (such as fingerprint or any other form of biometrics)

What is Additional Factor of Authentication (AFA)?

Additional Factor of Authentication (AFA) refers to use of more than one factor for authentication of a payment instruction.

Who is Issuer?

Issuer is a bank / non-bank where the customer’s account (deposit account / credit line or PPI balance) is maintained. Issuers verify user credentials and provide confirmation of debit to the account on receipt of payment instruction.

Who is Technology Service Provider (TSP)?

Technology Service Provider (TSP) is a provider of technology infrastructure adopted by the Issuer for implementing the authentication process. In addition to software-based solution providers, this will include device manufacturers and hardware solution providers who provide such technology.

Who is Token Service Provider?

Token Service Provider is an entity which tokenises the card credentials and de-tokenises them, whenever required. It includes card networks and card issuers.

What is card present transaction?

Card present transaction is a transaction that is carried out through the physical use of card at the point of transaction. It is also known as a face-to-face or proximity payment transaction.

What are the principles for authentication of digital payment transactions?

The technology and process deployed for authenticating a payment instruction by the Payment System Provider / Payment System Participants shall comply with the following principles –

  • All digital payment transactions shall be authenticated with additional factors of authentication (AFA), unless exempted otherwise.
  • All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused.
  • The first factor of authentication and the AFA shall be from different categories (i.e., something the user knows / something the user has / something the user is).
  • Issuers may adopt a risk-based approach in deciding the appropriate AFA for a transaction, based on the risk profile of the customer and / or beneficiary, transaction value, channel of origination, etc.
  • Issuers shall have a system of alerting the customer in near real time for all eligible digital payment transactions i.e., all digital payment transactions except small offline transactions.
  • Issuers shall obtain explicit consent before enabling any new factor of authentication for the customer. The customer shall also be provided a facility to deregister from using the new factor of authentication.
  • Issuer shall ensure the robustness and integrity of the process or technology of the authentication factor before deploying the same.
  • Issuer shall be liable for the process and technology deployed for authenticating a digital payment transaction.
  • Issuer shall not enter into any exclusivity arrangement with any Payment Service Provider / Technology Service Provider - which could limit its ability to deploy alternative authentication solutions.
  • For transactions involving tokenised cards on various devices, Issuer / Token Service Provider shall ensure that the device environment supports tokenisation on a non-exclusive basis.

Which transactions are exempt from AFA requirement?

The following transactions are exempted from the AFA requirement –

  • Small value card present transactions for values upto ₹5000/- per transaction in contactless mode at Point of Sale (PoS) terminals.
  • E-mandates for recurring (other than the first) transactions in respect of – a) subscription to mutual funds; b) payment of insurance premium and c) credit card bill payments, for values upto ₹1,00,000, and in respect of all other categories, for values upto ₹15,000/-. 
  • Prepaid Instruments (PPIs) issued under PPI – Mass Transit Service and Gift PPIs.
  • Transactions in the National Electronic Toll Collection (NETC) System.
  • Small value digital payments in offline mode up to a value of ₹500/-.


References

Reserve Bank of India. (2024, July 31). 'Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions'. Retrieved from https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=58406

Reserve Bank of India. (2024, July 31). 'Framework on Alternative Authentication Mechanisms for Digital Payment Transactions - DRAFT'. Retrieved from https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4477


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Reserve Bank of India Act, 1934 – Part-II – Section 17 to 19

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the second article in the series.  Section 17 – Business which the Bank may transact RBI shall be authorized to carry on and transact the several kinds of business hereinafter specified, namely – 17(1) – Accept deposit without interest from the Central / State Government, local authorities, banks and any other persons. 17(1A) – Accept deposit, repayable with interest, from banks or any other person under the Standing Deposit Facility Scheme, as approved by the Central Board, for the purposes of liquidity management.   Bills of Exchange (B/E) & Promissory Note (PN) Bearing 2 or more good signatures, one of which shall be of B/E & PN arising out of Maturing within 17(2)(a) Purchase, sale and rediscou...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-I – Preamble and Section 1 to 13

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the first article in the series. Preamble of the Act RBI to – Regulate the issue of bank notes. Keep reserves for monetary stability in India. Operate currency and credit system of the country to its advantage. The primary objective of the monetary policy is to maintain price stability while keeping in mind the objective of growth. Chapter I – Preliminary Section 1 – Short title, extent and commencement 1(1) – This Act may be called the Reserve Bank of India Act, 1934. 1(2) – The Act extends to whole of India. Chapter II - Incorporation, Capital, Management and Business Section 3 – Establishment and incorporation of Reserve Bank 3(1) – RBI to take over management of the currency from the Central Government. 3(2) – RBI to have perpetual succession, common seal, and shall by...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-III – Section 20 to 40

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the third article in the series.  Chapter III - Central Banking Functions Section 20 – Obligation of the Bank to transact Government business RBI shall undertake – To accept monies for account of the Central Government and to make payments up to the amount standing to the credit of its account, and to carry out its exchange, remittance and other banking operations. Management of the public debt of the Union. Section 21 – Bank to have the right to transact Government business in India The Central Government shall entrust RBI with – All its money, remittance, exchange and banking transactions in India, and shall deposit free of interest all its cash balances with RBI. The Central Government may carry on money transactions at places where RBI has no branches or agencies and m...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-IV – Section 42 to 45

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the fourth article in the series.  Section 42 – Cash reserves of scheduled banks to be kept with the Bank 42(1) – Every bank included in the Second Schedule shall maintain with RBI an average daily balance at a percent (notified by RBI) of its total demand and time liabilities in India. 42(1A) – RBI may direct every scheduled bank to maintain with RBI, in addition to the balance prescribed under Section 42(1), an additional average daily balance at a rate (specified by RBI). 42(1C) – RBI may specify any transaction or class of transactions to be regarded as liability in India of a scheduled bank. If any question arises as to whether any transaction or class of transactions shall be regarded as liability in India of a schedule bank, the decision of RBI thereon shall be fina...
Post a Comment
Read more

Reserve Bank of India Act, 1934 – Part-V – Section 45B to 45JA

The Reserve Bank of India Act, 1934 provides the statutory basis of the functioning of the Reserve Bank of India (RBI). In a series of articles, we will briefly go through the provisions of RBI Act, 1934. This is the fifth article in the series.  Chapter IIIA - Collection and Furnishing of Credit Information Section 45B – Power of Bank to collect credit information RBI may collect credit information from banking companies and furnish it to any banking company in accordance with section 45D. Section 45C – Power to call for returns containing credit information RBI may direct any banking company to submit statements relating to credit information. Section 45D – Procedure for furnishing credit information to banking companies A banking company may apply to RBI to provide credit information. RBI shall furnish the requested credit information without disclosing the names of the banking companies which have submitted the information. RBI may levy fees of up to Rs.25 for furnishing credit...
Post a Comment
Read more