Skip to main content

Authentication mechanisms for digital payment transactions

Reserve Bank of India (RBI) has issued directions on authentication mechanisms for digital payment transactions.

What is the rationale behind the directions?

All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor. To enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms, RBI has issued the directions on authentication mechanisms for digital payment transactions.

What is Authentication?

Authentication is a process of validating and confirming the credentials of the customer who is originating the payment instruction.

What is Factor of Authentication?

Factor of Authentication is the credential of the customer which is used for authentication. The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based).

To which entities / transactions shall the directions be applicable?

The directions shall be applicable to –

  • Payment System Providers and Payment System Participants (banks and non-banks)
  • Domestic digital payment transactions

What are the principles for authentication of digital payment transactions?

  • Minimum two factors of authentication – All digital payment transactions shall be authenticated by at least two distinct factors of authentication. Issuers (bank / non-bank maintaining customer’s account from which payment is made, such as deposit account / credit line / prepaid instrument) may, at their discretion, offer a choice of authentication factors to their customers.
  • At least one of the factors to be dynamic – It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.
  • Robust – The factor of authentication shall be such that compromise of one factor does not affect reliability of the other.

Which transactions are exempted from two factor authentication?

The following transactions are exempted from the requirement of two factor authentication –

  • Small-value Contactless Card transactions
  • Recurring transactions (other than the first) under the e-mandate framework
  • Select Prepaid Instruments such as Prepaid Payment Instrument - Mass Transit Service (PPI-MTS) and Gift PPIs
  • National Electronic Toll Collection (NETC) transactions
  • Small value digital payments in offline mode
  • Travel booking involving Global Distribution System / IATA through commercial / corporate cards.

What are other directions?

  • Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.
  • If any loss arises out of transactions effected without complying with the directions, the issuer shall compensate the customer for the loss in full without demur.
  • The directions are not applicable to cross-border digital payment transactions. However, card issuers shall, by October 01, 2026, put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (BINs) with card networks.

From when shall the directions be applicable?

Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with the directions by April 01, 2026.


References

Reserve Bank of India. (2025, September 25). 'Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12898&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Report of the Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector

Reserve Bank of India (RBI) has released the report of the committee to develop a framework for responsible and ethical enablement of artificial intelligence (FREE-AI) in the financial sector. Committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector In the financial sector, Artificial Intelligence (AI) has the potential to unlock new forms of customer engagement, enable alternate approaches to credit assessment, risk monitoring, fraud detection, and offer new supervisory tools. At the same time, increased adoption of AI could lead to new risks like bias and lack of explainability, as well as amplifying existing challenges to data protection, cybersecurity, among others. To encourage the responsible and ethical adoption of AI in the financial sector, the committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the Financial Sector (Chairperson: Dr. Pushpak B...
Post a Comment
Read more

Lending against Gold and Silver collateral

Reserve Bank of India (RBI) has issued directions on lending against the collateral of gold and silver. To whom are the directions applicable? The directions are applicable to the following regulated entities (REs) – Commercial Banks (including Small Finance Banks, Local Area Banks and Regional Rural Banks, but excluding Payments Banks). Primary (Urban) Co-operative Banks (UCBs) & Rural Co-operative Banks (RCBs), i.e., State Co-operative Banks (StCBs) and Central Co-operative Banks (CCBs). Non-Banking Financial Companies (NBFCs), including Housing Finance Companies (HFCs). Which loans are covered under the directions? The directions shall apply to all loans offered by an RE for the purpose of consumption or income generation (including farm credit) where eligible gold or silver collateral is accepted as a collateral security. What is eligible collateral? Eligible collateral means the collateral of jewellery, ornaments or coins made of gold or silver. A lender shall not grant any ad...
Post a Comment
Read more

All about RBI Integrated Ombudsman Scheme, 2021

Filed a complaint against a bank / financial institution but haven’t received a reply for more 30 days? Or received a reply but not satisfied with the resolution offered by the bank / financial institution? Or the complaint was rejected by the bank / financial institution? You can approach RBI Ombudsman under the RBI Integrated Ombudsman Scheme, 2021. What is RBI Integrated Ombudsman Scheme (RBI-IOS), 2021? RBI-IOS was launched on November 12, 2021, by integrating the existing 3 Ombudsman schemes of RBI. RBI-IOS adopts ‘One Nation One Ombudsman’ approach by making the RBI Ombudsman mechanism jurisdiction neutral. It provides cost-free redress of customer complaints involving deficiency in services rendered by entities regulated by RBI. Which schemes are integrated in RBI-IOS? RBI-IOS integrates following existing schemes of RBI – Schemes Powers derived from Entities covered Banking Ombudsman Scheme, 2006 Section 35A of BR Act, 1949 S...
Post a Comment
Read more

Investments in Debt Instruments by Non-residents

Reserve Bank of India (RBI) has issued directions on investments in debt instruments by non-residents. What are the channels for investments in debt instruments by non-residents? General Route – for investment in Government securities and corporate debt securities by Foreign Portfolio Investors (FPIs) subject to specified investment limits and macro-prudential limits. Voluntary Retention Route (VRR) – for investments in Government securities and corporate debt securities, free of certain macro-prudential limits applicable to FPI investments in debt markets under the General Route, by FPIs that commit to remain invested for a stipulated retention period. Fully Accessible Route (FAR) – for investments by non-residents in certain specified categories of Central Government securities (‘specified securities’) without any restriction. Scheme for Trading and Settlement of Sovereign Green Bonds (SGrBs) issued by the Central Government by eligible foreign investors in the International Finan...
Post a Comment
Read more

Continuous Clearing and Settlement on Realisation in Cheque Truncation System (CTS)

Reserve Bank of India (RBI) has issued direction on continuous clearing and settlement on realisation in Cheque Truncation System (CTS). What is Cheque Truncation System (CTS)? Cheque Truncation System (CTS) involves halting the physical movement of the cheque and its replacement by images of the instrument and the corresponding data contained in the MICR line.  In CTS, 3 images are taken of each cheque – front Gray Scale, front Black & White and back Black & White. MICR (Magnetic Ink Character Recognition) is a 9-digit code printed at the bottom of cheques using magnetic ink – first 3 digits indicate City Code, middle 3 digits indicate Bank Code and the last 3 digits indicate Bank Branch Code. Only CTS-2010 standards compliant instruments can be presented for clearing through CTS. The presenting banks which truncates the cheques need to preserve the physical instruments for 10 years. From when will the continuous clearing and settlement on realisation in CTS be implemented...
Post a Comment
Read more