Skip to main content

Authentication mechanisms for digital payment transactions

Reserve Bank of India (RBI) has issued directions on authentication mechanisms for digital payment transactions.

What is the rationale behind the directions?

All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor. To enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms, RBI has issued the directions on authentication mechanisms for digital payment transactions.

What is Authentication?

Authentication is a process of validating and confirming the credentials of the customer who is originating the payment instruction.

What is Factor of Authentication?

Factor of Authentication is the credential of the customer which is used for authentication. The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based).

To which entities / transactions shall the directions be applicable?

The directions shall be applicable to –

  • Payment System Providers and Payment System Participants (banks and non-banks)
  • Domestic digital payment transactions

What are the principles for authentication of digital payment transactions?

  • Minimum two factors of authentication – All digital payment transactions shall be authenticated by at least two distinct factors of authentication. Issuers (bank / non-bank maintaining customer’s account from which payment is made, such as deposit account / credit line / prepaid instrument) may, at their discretion, offer a choice of authentication factors to their customers.
  • At least one of the factors to be dynamic – It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.
  • Robust – The factor of authentication shall be such that compromise of one factor does not affect reliability of the other.

Which transactions are exempted from two factor authentication?

The following transactions are exempted from the requirement of two factor authentication –

  • Small-value Contactless Card transactions
  • Recurring transactions (other than the first) under the e-mandate framework
  • Select Prepaid Instruments such as Prepaid Payment Instrument - Mass Transit Service (PPI-MTS) and Gift PPIs
  • National Electronic Toll Collection (NETC) transactions
  • Small value digital payments in offline mode
  • Travel booking involving Global Distribution System / IATA through commercial / corporate cards.

What are other directions?

  • Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.
  • If any loss arises out of transactions effected without complying with the directions, the issuer shall compensate the customer for the loss in full without demur.
  • The directions are not applicable to cross-border digital payment transactions. However, card issuers shall, by October 01, 2026, put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (BINs) with card networks.

From when shall the directions be applicable?

Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with the directions by April 01, 2026.


References

Reserve Bank of India. (2025, September 25). 'RBI issues Directions on Framework on Authentication Mechanisms for Digital Payment Transactions'. Retrieved from https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=61282

Reserve Bank of India. (2025, September 25). 'Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12898&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Modified Interest Subvention Scheme for Agricultural Loans

Reserve Bank of India (RBI) has published the modified interest subvention scheme (MISS) for short term loans for agriculture and allied activities availed through Kisan Credit Card (KCC) during the financial year 2025-26. Which loans are covered under modified interest subvention scheme (MISS)? The short-term crop loans and short-term loans for allied activities including animal husbandry, dairy, fisheries, bee keeping etc. up to an overall limit of ₹3 lakh to farmers through KCC during the year 2025-26 will be covered for interest subvention. Which lending institutions are covered under MISS? The MISS is applicable to the lending institutions viz. Public Sector Banks (PSBs) and Private Sector Banks (in respect of loans given by their rural and semi-urban branches only), Small Finance Banks (SFBs) and computerized Primary Agriculture Cooperative Societies (PACS) ceded with Scheduled Commercial Banks (SCBs), on use of their own resources.  How much is the interest subvention? The a...
Post a Comment
Read more

Internal Ombudsman for Regulated Entities (Banks, NBFCs, PPI Issuers and CICs)

Reserve Bank of India (RBI) has issued directions on Internal Ombudsman for regulated entities. To whom shall the directions on Internal Ombudsman (IO) be applicable? The directions on IO shall be applicable to the following Regulated Entities (REs) – Commercial Banks (other than Small Finance Banks, Payment Banks, and Local Area Banks) having 10 or more banking outlets in India as on March 31, 2025, whether such bank is incorporated in / outside India Small Finance Banks having 10 or more banking outlets in India as on March 31, 2025 Payments Banks having 10 or more banking outlets in India as on March 31, 2025 Non-Banking Financial Companies (NBFCs) fulfilling the following criteria as on March 31, 2025 – Deposit-taking NBFCs (NBFCs-D) with 10 or more branches Non-Deposit taking NBFCs (NBFCs-ND) with asset size of ₹5,000 crore and above and having public customer interface Non-Bank Prepaid Payment Instruments Issuers having more than 1 crore Prepaid Payment Instruments (PPIs) outstan...
Post a Comment
Read more

Reserve Bank - Integrated Ombudsman Scheme, 2026 (RB-IOS, 2026)

Reserve Bank of India (RBI) has issued Reserve Bank - Integrated Ombudsman Scheme, 2026. Who is RBI Ombudsman and RBI Deputy Ombudsman? RBI may appoint one or more of its officers as RBI Ombudsman and RBI Deputy Ombudsman, to carry out the functions entrusted to them under the Reserve Bank - Integrated Ombudsman Scheme (RB-IOS).  The appointment of RBI Ombudsman or RBI Deputy Ombudsman shall be for up to 3 years at a time. RBI Ombudsman shall have the power to examine and close all complaints.   RBI Deputy Ombudsman shall have the power to close those complaints falling under clause 10 of the RB-IOS (i.e. non-maintainable complaints) and complaints resolved as per the provisions of the clause 14(8)(a) to 14(8)(c) of the RB-IOS (i.e. complaint resolved / withdrawn). Which entities are covered under the RB-IOS? RB-IOS shall be applicable to the following Regulated Entities (REs) – Commercial Banks Regional Rural Banks  State Co-operative Banks Central Co-operative Bank...
Post a Comment
Read more

Financial Literacy Week (FLW) 2026

Reserve Bank of India (RBI) has observed financial literacy week from February 09 to 13, 2026. Financial Literacy and Financial Education Organization for Economic Co-operation & Development (OECD) defines ‘financial literacy’ as a combination of financial awareness, knowledge, skills, attitude and behaviour necessary to make sound financial decisions and ultimately achieve individual financial well-being.  OECD defines ‘financial education’ as the process by which financial consumers / investors improve their understanding of financial products, concepts and risks and through information, instruction and / or objective advice, develop the skills and confidence to become more aware of financial risks and opportunities, to make informed choices, to know where to go for help and to take other effective actions to improve their financial well-being. Financial Literacy Week (FLW) Reserve Bank of India (RBI) has been observing Financial Literacy Week (FLW) every year since 2016 to p...
Post a Comment
Read more

What is Reserve Bank of India – Digital Payments Index (RBI-DPI)? (Updated on February 12, 2026)

There have been continuous efforts by various stakeholders for digitization of payments in the country. But how to we measure the impact of these efforts?  What is Reserve Bank of India – Digital Payments Index (RBI-DPI)? Reserve Bank of India (RBI) has constructed a composite Digital Payments Index (DPI) to capture the extent of digitization of payments across the country. What are the parameters of RBI-DPI? The RBI-DPI comprises of five broad parameters that enable measurement of deepening and penetration of digital payments in the country over different time periods. These parameters along with their weights in the RBI-DPI are as follows –  Payment Enablers (25%) Payment Infrastructure – Demand-side factors (10%) Payment Infrastructure – Supply-side factors (15%) Payment Performance (45%) Consumer Centricity (5%).  Each of these parameters have sub-parameters which, in turn, consist of various measurable indicators.  What is the base year for RBI-DPI? The RBI-DPI ...
Post a Comment
Read more