RBI (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025
The Reserve Bank of India (RBI) has issued the Authentication Mechanisms for Digital Payment Transactions Directions, 2025 to strengthen security and promote innovation in India’s digital payments ecosystem. All digital payment transactions in the country are required to meet the norm of two-factor authentication (2FA). While no specific factor has been mandated, SMS-based One Time Password (OTP) has been the most commonly used mechanism. In line with the technological advancements and the RBI’s announcements in the Statements on Developmental and Regulatory Policies (February 2024 and February 2025), these Directions enable payment participants to adopt alternative authentication technologies beyond OTPs.
Issued under Sections 18 and 10(2) of the Payment and Settlement Systems Act, 2007, the Directions are applicable to all Payment System Providers (PSPs) and Participants, including both banks and non-banks, for all domestic digital payment transactions, unless exempted. The Directions come into effect from April 1, 2026.
Key definitions include authentication as the process of validating customer credentials; card-present and card-not-present (CNP) transactions; cross-border CNP transactions; and factors of authentication based on what the user has, knows, or is (e.g., password, PIN, OTP, token, or biometric).
The core principles for authentication require:
- Minimum two factors of authentication for all transactions, except those explicitly exempted.
- At least one dynamic factor, ensuring transaction-specific uniqueness.
- Robustness, ensuring that compromise of one factor does not weaken the other.
The Directions also emphasize interoperability, requiring system providers and participants to offer open access for authentication or tokenisation services across devices, applications, and operating environments, in accordance with RBI’s 2019 Tokenisation Directions.
A risk-based approach is encouraged, allowing issuers to evaluate transactions using behavioural and contextual parameters such as device data, transaction history, and user location, and to apply additional checks for high-risk cases. DigiLocker may be used for secure notification and confirmation of such transactions.
Issuers are fully responsible for ensuring the robustness and integrity of deployed authentication mechanisms. Any customer loss arising from non-compliance with these Directions must be fully compensated. Issuers must also ensure adherence to the Digital Personal Data Protection Act, 2023.
For cross-border CNP card transactions, issuers must by October 1, 2026, implement mechanisms to validate non-recurring overseas transactions and register their Bank Identification Numbers (BINs) with card networks. A risk-based framework for managing all cross-border CNP transactions is also mandated.
