Last year, the RBI issued its guidelines on the authentication mechanism framework for digital payment transaction authentication. As per the guidelines, it was stated that two-factor authentication will be made mandatory for all digital payments starting 1st April 2026.
The Reserve Bank of India ( Authentication mechanisms for digital payment transactions) Directions, 2025, shall apply to all Payment System Providers and Payment System Participants (banks and non-banks). These directions will apply to all domestic digital payment transactions.
It is mandated that every digital payment transaction must be authenticated using at least two distinct factors like passwords, PINs, SMS-based OTPs, hardware tokens or cards, software-based authentication tokens, fingerprints or facial recognition. In practice, most users may not see a dramatic shift immediately, as OTPs and PINs are already widely used.
Issuers such as banks, card networks and fintechs can offer customers a preference for authentication methods in compliance with the directions. It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven.
An issuer shall ensure the robustness and integrity of the authentication mechanism before deployment. If any loss arises out of transactions effected without complying with the directions, the issuer shall compensate the customer for the loss in full without demur.
It is said that by 1st October 2026, card issuers shall put in place a mechanism to validate non-recurring, cross-border card not present (CNP) transactions, where an authentication request is raised by an overseas merchant or overseas acquirer. Further, a risk-based mechanism for handling all cross-border CNP transactions shall also be put in place by card issuers by 1st October 2026.
With rising cases of SIM-related fraud and phishing, the RBI is now pushing for alternatives for the digital safety of customers.
