To see how our expertise can help you, let’s talk
Discuss your unique business challenges and get technology recommendations.
24/09/2025
The Reserve Bank of India has taken an important step in enhancing India's digital payment framework by issuing its "Authentication Mechanisms for Digital Payment Transactions" Directions, 2025. These comprehensive guidelines were released on September 25, 2025, and will come to effect from April 1, 2026, marking a benchmark change in the digital payment security environment in India.
These guidelines are directed towards balancing three important aspects: security, innovation and convenience. India has had requirements for two-factor authentication for digital payments for a long time, but the framework has primarily relied on SMS-based One Time Password (OTP). The new guidelines acknowledges this dependency while simultaneously expanding the scope of what could be considered to be a more sophisticated and flexible authentication method in the payment framework.
The RBI has defined authentication factors apart from SMS-based OTPs which include passwords, passphrases, PINs, card hardware, software tokens, fingerprints, or any biometric method (whether device-native or using Aadhaar). This diversity in authentication only enhances the digital payment framework by allowing each financial institution to determine which of these can help them meet their operational and consumer needs.
Although the new requirements introduced additional options, the fundamental requirement has not changed: every digital payment transaction must be authenticated by two or more distinct factors. The RBI has added an important stipulation for non-card-present transactions.
At least one authentication factors must be created specifically for the transaction in question. The creation of a proof-of-possession mechanism increases security potential, as reused proof of possession data is almost impossible for fraudsters to use.
One of the most innovative features of the framework involves risk-based authentication checks. Financial institutions now have the ability to go beyond the minimum two-factor authentication (2FA) when they observe a higher risk transaction. Issuers can evaluate transactions against behavioral and contextual parameters including user behavior patterns; transaction location; device-specific attributes and historical transaction profiles.
This risk-based approach means that transactions through familiar devices and locations simply go through low transactional friction, while high risk transactions could trigger additional verification steps. The RBI has even suggested the use of the DigiLocker as a probable platform for notification and verification of high-risk transactions.
International digital commerce is given special consideration in the new directions. Card issuers must validate Additional Factor of Authentication in non-recurring cross-border Card Not Present transactions whenever overseas merchants/acquirers seek it. This requirement responds to a specific weakness in the global digital payment ecosystem, where cross-border transactions have historically been prone to fraud.
Financial institutions have until October 1, 2026, to establish the processes necessary to address all cross-border CNP transactions, including registering Bank Identification Numbers with card networks, to ensure compliance. This extended timeline is in recognition of the technical challenges involved in implementing compliance, while maintaining uninterrupted payment experiences for customers engaging in international transactions.
The framework promotes interoperability and access to authentication technology across payment platforms, for the purpose of encouraging competition and innovation in the digital payments sphere. The RBI creates an equal opportunity for the marketplace, so that new participants may emerge and add to the continued evolution of payment technologies without being locked by proprietary systems.
The directions also specifically outline the responsibilities of issuers, ensuring better accountability throughout the digital payments ecosystem. This will help financial institutions understand their obligations and implement appropriate systems and controls.
As India's goal of becoming a less-cash economy continues to evolve, it becomes increasingly important to bring security and reliability of digital payment systems on a priority. This new authentication framework is the Reserve Bank of India's (RBI) response to both global best practices and challenges.
These changes mean better security for consumers without necessarily adding complexity to the payment experience. For financial institutions and payment service providers, there is clarity of expectations, flexibility in execution, and a pathway to innovate. As the deadline of April 2026 approaches, participants from all corners of the digital payments ecosystem will need to evolve and adapt to this large paradigm shift that ultimately shapes how India will transact digitally.
The effectiveness of these directions will be in part determined through its ability to reduce cyber fraud while ensuring the user friendliness and efficiency of digital payments that have lead to digital payment adoption and growth in India. If implemented well, this framework could be beneficial for other countries experiencing similar challenges as they attempt to grow in the digital economy.
Discuss your unique business challenges and get technology recommendations.