Skip to main content

Authentication mechanisms for digital payment transactions

Reserve Bank of India (RBI) has issued directions on authentication mechanisms for digital payment transactions.

What is the rationale behind the directions?

All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor. To enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms, RBI has issued the directions on authentication mechanisms for digital payment transactions.

What is Authentication?

Authentication is a process of validating and confirming the credentials of the customer who is originating the payment instruction.

What is Factor of Authentication?

Factor of Authentication is the credential of the customer which is used for authentication. The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based).

To which entities / transactions shall the directions be applicable?

The directions shall be applicable to –

  • Payment System Providers and Payment System Participants (banks and non-banks)
  • Domestic digital payment transactions

What are the principles for authentication of digital payment transactions?

  • Minimum two factors of authentication – All digital payment transactions shall be authenticated by at least two distinct factors of authentication. Issuers (bank / non-bank maintaining customer’s account from which payment is made, such as deposit account / credit line / prepaid instrument) may, at their discretion, offer a choice of authentication factors to their customers.
  • At least one of the factors to be dynamic – It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.
  • Robust – The factor of authentication shall be such that compromise of one factor does not affect reliability of the other.

Which transactions are exempted from two factor authentication?

The following transactions are exempted from the requirement of two factor authentication –

  • Small-value Contactless Card transactions
  • Recurring transactions (other than the first) under the e-mandate framework
  • Select Prepaid Instruments such as Prepaid Payment Instrument - Mass Transit Service (PPI-MTS) and Gift PPIs
  • National Electronic Toll Collection (NETC) transactions
  • Small value digital payments in offline mode
  • Travel booking involving Global Distribution System / IATA through commercial / corporate cards.

What are other directions?

  • Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.
  • If any loss arises out of transactions effected without complying with the directions, the issuer shall compensate the customer for the loss in full without demur.
  • The directions are not applicable to cross-border digital payment transactions. However, card issuers shall, by October 01, 2026, put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (BINs) with card networks.

From when shall the directions be applicable?

Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with the directions by April 01, 2026.


References

Reserve Bank of India. (2025, September 25). 'RBI issues Directions on Framework on Authentication Mechanisms for Digital Payment Transactions'. Retrieved from https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=61282

Reserve Bank of India. (2025, September 25). 'Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12898&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

Credit Facilities – Lending against Gold and Silver Collateral

Reserve Bank of India (RBI) has issued directions on credit facilities offered by various regulated entities. This article summarises the directions applicable to lending against gold and silver collateral. To whom are the directions applicable? The directions are applicable to the following Regulated Entities (REs) – Commercial Banks  Small Finance Banks (SFBs) Local Area Banks (LABs) Regional Rural Banks (RRBs) Primary (Urban) Co-operative Banks (UCBs) Rural Co-operative Banks – State Co-operative Banks (StCBs) Central Co-operative Banks (CCBs) Non-Banking Financial Companies (NBFCs) for all layers – Deposit taking NBFC (NBFC-D) NBFC-Investment and Credit Companies (NBFC-ICC) NBFC-Factor  NBFC-Micro Finance Institutions (NBFC-MFI)  NBFC-Infrastructure Finance Company (NBFC-IFC)  Infrastructure Debt Fund-NBFC (IDF-NBFC)  Housing Finance Company (HFC)  To whom are the directions partially applicable? The prudential regulations are not applicable to ‘NBFCs-B...
Post a Comment
Read more

Credit Facilities – Digital Lending Guidelines

Reserve Bank of India (RBI) has issued directions on credit facilities offered by various regulated entities. This article summarises the directions applicable to digital lending. To whom are the directions applicable? The directions are applicable to the following Regulated Entities (REs) – Commercial Banks  Small Finance Banks (SFBs) Local Area Banks (LABs) Regional Rural Banks (RRBs) Primary (Urban) Co-operative Banks (UCBs) Rural Co-operative Banks – State Co-operative Banks (StCBs) Central Co-operative Banks (CCBs) All India Financial Institutions (AIFIs) regulated by RBI – Export Import Bank of India (EXIM Bank) National Bank for Agriculture and Rural Development (NABARD) National Housing Bank (NHB) Small Industries Development Bank of India (SIDBI) National Bank for Financing Infrastructure and Development (NaBFID) Non-Banking Financial Companies (NBFCs) for all layers – Deposit taking NBFC (NBFC-D) NBFC-Investment and Credit Companies (NBFC-ICC) NBFC-Factor  NBFC-Micro...
Post a Comment
Read more

Guidelines on Money Changing Activities (Updated as on May 06, 2026)

Reserve Bank of India (RBI) has updated the guidelines on money changing activities. What are the guidelines for appointment of agents / franchisee? RBI had permitted Authorised Dealers (ADs) Category - I, ADs Category - II and Full Fledged Money Changers (FFMCs) to enter into agency or franchisee agreements at their option for the purpose of carrying restricted money changing business i.e. conversion of foreign currency notes, coins or travellers' cheques into Indian Rupees (INR).  A franchisee can be any entity which has a place of business and a minimum Net Owned Funds of ₹10 lakh.  Franchisees can undertake only restricted money changing business. Franchisees of AD Category - I / AD Category - II / FFMCs functioning within 10 kms from the borders of Pakistan and Bangladesh may also sell the currency of the bordering country, with the prior approval of RBI.  Other franchisees of AD Category - I / AD Category - II / FFMCs cannot sell foreign currency. An authorised pers...
Post a Comment
Read more

Regulations for Authorised Persons

Reserve Bank of India (RBI) has issued a revised framework for authorisation of any person as an Authorised Person under the Foreign Exchange Management Act (FEMA), 1999. Who can act as an Authorised Person? No person shall act as an authorised person without obtaining an authorisation from the RBI. A person seeking authorisation as an authorised person may apply to the RBI through the PRAVAAH portal (https://pravaah.rbi.org.in) to the regional office concerned of the RBI under whose jurisdiction the registered office of the applicant is established. RBI shall consider applications for fresh authorisation under 3 categories, namely, Authorised Dealer (AD) Category-I, AD Category-II and AD Category-III. Which entities are eligible to act as an Authorised Person? Category Eligible entities AD Category-I A bank licensed by the RBI. AD Category-II A bank licensed by the RBI or a Non-Banking Financial Company (NBFC) registered with the RB...
Post a Comment
Read more

Credit Facilities – Gold Metal Loans

Reserve Bank of India (RBI) has issued directions on credit facilities offered by various regulated entities. This article summarises the directions applicable to gold metal loans. To whom are the directions applicable? The directions are applicable to the following Regulated Entities (REs) – Commercial Banks  Small Finance Banks (SFBs) What is Gold Metal Loans’ (GML)? Gold Metal Loans (GML) mean loans extended by eligible banks to specified borrowers in the form of gold metal. GMS-linked GML – means GML extended by designated banks under the Gold Monetization Scheme, 2015 (GMS), utilising – (i) the gold deposit accepted by them as Short-term Bank Deposit under the GMS, or (ii) gold borrowed from other designated banks under GMS, and where the repayment can be either in gold or in cash or in a combination of both. Import-linked GML – means GML extended by nominated banks authorized to import gold, where the source of gold metal lent is gold imported by them, and where repayment h...
Post a Comment
Read more