Skip to main content

Authentication mechanisms for digital payment transactions

Reserve Bank of India (RBI) has issued directions on authentication mechanisms for digital payment transactions.

What is the rationale behind the directions?

All digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor. To enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms, RBI has issued the directions on authentication mechanisms for digital payment transactions.

What is Authentication?

Authentication is a process of validating and confirming the credentials of the customer who is originating the payment instruction.

What is Factor of Authentication?

Factor of Authentication is the credential of the customer which is used for authentication. The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based).

To which entities / transactions shall the directions be applicable?

The directions shall be applicable to –

  • Payment System Providers and Payment System Participants (banks and non-banks)
  • Domestic digital payment transactions

What are the principles for authentication of digital payment transactions?

  • Minimum two factors of authentication – All digital payment transactions shall be authenticated by at least two distinct factors of authentication. Issuers (bank / non-bank maintaining customer’s account from which payment is made, such as deposit account / credit line / prepaid instrument) may, at their discretion, offer a choice of authentication factors to their customers.
  • At least one of the factors to be dynamic – It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.
  • Robust – The factor of authentication shall be such that compromise of one factor does not affect reliability of the other.

Which transactions are exempted from two factor authentication?

The following transactions are exempted from the requirement of two factor authentication –

  • Small-value Contactless Card transactions
  • Recurring transactions (other than the first) under the e-mandate framework
  • Select Prepaid Instruments such as Prepaid Payment Instrument - Mass Transit Service (PPI-MTS) and Gift PPIs
  • National Electronic Toll Collection (NETC) transactions
  • Small value digital payments in offline mode
  • Travel booking involving Global Distribution System / IATA through commercial / corporate cards.

What are other directions?

  • Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be resorted to. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.
  • If any loss arises out of transactions effected without complying with the directions, the issuer shall compensate the customer for the loss in full without demur.
  • The directions are not applicable to cross-border digital payment transactions. However, card issuers shall, by October 01, 2026, put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (BINs) with card networks.

From when shall the directions be applicable?

Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with the directions by April 01, 2026.


References

Reserve Bank of India. (2025, September 25). 'RBI issues Directions on Framework on Authentication Mechanisms for Digital Payment Transactions'. Retrieved from https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=61282

Reserve Bank of India. (2025, September 25). 'Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025'. Retrieved from https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12898&Mode=0


Follow at - Telegram   Instagram   LinkedIn   X   Facebook

Labels:

Comments

Post a Comment

Popular Posts

FEMA - Borrowing and Lending [including External Commercial Borrowing (ECB) and Trade Credit (TC)]

Reserve Bank of India (RBI) has amended the regulations for borrowing and lending under the Foreign Exchange Management Act, 1999 (FEMA). What are the regulations for External Commercial Borrowing (ECB)? External Commercial Borrowing (ECB) means borrowing by an eligible borrower from a recognised lender. Eligible borrowers – Any person resident in India (other than an individual) that is incorporated, established or registered under a Central or State Act is an eligible borrower, provided such person is permitted for ECB in terms of applicable Acts. An eligible borrower that is under a restructuring scheme or corporate insolvency resolution process may raise ECB only if specifically permitted under the restructuring or resolution plan. An eligible borrower against whom any investigation, adjudication or appeal by a law enforcement agency for contravention of any rule, regulation or direction issued under FEMA is pending, may raise ECB notwithstanding the pending investigation or adjudi...
Post a Comment
Read more

Continuous Clearing and Settlement on Realisation in Cheque Truncation System (CTS) (Updated as on December 24, 2025)

Reserve Bank of India (RBI) has issued direction on continuous clearing and settlement on realisation in Cheque Truncation System (CTS). What is Cheque Truncation System (CTS)? Cheque Truncation System (CTS) involves halting the physical movement of the cheque and its replacement by images of the instrument and the corresponding data contained in the MICR line.  In CTS, 3 images are taken of each cheque – front Gray Scale, front Black & White and back Black & White. MICR (Magnetic Ink Character Recognition) is a 9-digit code printed at the bottom of cheques using magnetic ink – first 3 digits indicate City Code, middle 3 digits indicate Bank Code and the last 3 digits indicate Bank Branch Code. Only CTS-2010 standards compliant instruments can be presented for clearing through CTS. The presenting banks which truncates the cheques need to preserve the physical instruments for 10 years. From when will the continuous clearing and settlement on realisation in CTS be implemented...
Post a Comment
Read more

Unique Transaction Identifier (UTI) for OTC Derivative Transactions

Reserve Bank of India (RBI) has issued directions on Unique Transaction Identifier (UTI) for over-the-counter (OTC) derivative transactions. What are the existing norms for reporting of OTC derivative transactions? At present, all transactions in OTC markets for rupee interest rate derivatives, forward contracts in Government securities, foreign currency derivatives, foreign currency interest rate derivatives, and credit derivatives are reported to the Trade Repository managed by Clearing Corporation of India Limited (CCIL-TR).  What are the directions on Unique Transaction Identifier (UTI) for OTC derivative transactions? Unique Transaction Identifier (UTI), a unique identifier assigned to an OTC derivative transaction, shall be generated / reported for all transactions in OTC derivatives market.  The directions shall be applicable to OTC derivative transactions entered into on or after January 01, 2027. UTI shall be generated in accordance with the UTI Technical Guidanc...
Post a Comment
Read more

FEMA - Regulations on Guarantees

Reserve Bank of India (RBI) had issued regulations governing guarantees under the Foreign Exchange Management Act, 1999 (FEMA). What is a guarantee? A guarantee, including a counter-guarantee, means a contract, by whatever name called, to perform the promise, or discharge a debt, obligation or other liability (including a portfolio of debts, obligations or other liabilities), in the event of default by the principal debtor. Who are the participants in a guarantee transaction? Principal debtor – a person in respect of whose default the guarantee is given. Surety – a person who gives a guarantee. Creditor – a person to whom the guarantee is given. When can a person resident in India act as surety / principal debtor? A person resident in India may act as a surety / principal debtor for a guarantee, subject to conditions that – The underlying transaction for which the guarantee is being given or arranged is not prohibited under FEMA guidelines. The surety and the principal debtor are eligi...
Post a Comment
Read more

Lending to Micro, Small & Medium Enterprises (MSMEs) Sector

Reserve Bank of India (RBI) has amended the directions on lending to Micro, Small & Medium Enterprises (MSMEs) sector. To whom shall the directions be applicable? The directions shall apply to Scheduled Commercial Banks (excluding Regional Rural Banks). Which enterprises are classified as Micro, Small or Medium? An enterprise shall be classified as a micro, small or medium enterprise based on the following criteria – Classification Maximum investment in plant and machinery or equipment And Maximum turnover Micro enterprise ₹2.5 crore ₹10 crore Small enterprise ₹25 crore ₹100 crore Medium enterprise ₹125 crore ₹500 crore What registrations are required to be made by MSMEs? MSMEs are required to register online on the Udyam Registration portal and obtain ‘Udyam Registration Certificate (URC)’. For priority sector lending purposes, banks shall be guided by the clas...
Post a Comment
Read more