Digital Payments in India to Get Safer: RBI Introduces New Authentication Guidelines 

byPaytm Editorial TeamSeptember 26, 2025

Source: RBI

The Reserve Bank of India (RBI) has released the “Authentication Mechanisms for Digital Payment Transactions” Directions, 2025, aiming to strengthen the security of digital payments in India. All digital payment transactions in the country are required to use two-factor authentication (2FA). While SMS-based One-Time Passwords (OTPs) have been widely used so far, the new directions allow alternative authentication methods leveraging advanced technology.

These directions, issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems (PSS) Act, 2007, primarily apply to domestic transactions. For online international transactions using Indian-issued cards, the guidelines also set standards for cross-border card transactions, in line with RBI’s 2025 regulatory updates.

Key Highlights of RBI Directions 2025:

  • Effective Date: April 1, 2026, for all Payment System Providers and Participants, including banks and non-bank entities.
  • Applicability: All domestic digital payment transactions, unless specifically exempted.
  • Authentication Principles:
    • Minimum two factors of authentication are mandatory, one of which must be dynamic for non-card-present transactions.
    • Authentication methods should be robust, ensuring that compromising one factor does not affect the other.
    • Issuers may offer customers a choice of authentication factors.
  • Interoperability: Authentication or tokenization services must be accessible across all platforms, channels, and devices.
  • Risk-Based Approach: Issuers can apply additional checks for high-risk transactions based on behavioural or contextual parameters, including transaction location, user behaviour, device attributes, or transaction history. Platforms like DigiLocker may be used for notifications or confirmations of such transactions.
  • Issuer Responsibilities:
    • Ensure robustness of authentication mechanisms before deployment.
    • Compensate customers fully for any losses resulting from non-compliance with these directions.
    • Comply with the Digital Personal Data Protection Act, 2023.
  • Cross-Border Transactions:
    • While domestic directions do not directly apply, card issuers must implement mechanisms to validate non-recurring cross-border card-not-present transactions by October 1, 2026.
    • Issuers must register their Bank Identification Numbers (BINs) with card networks and establish risk-based controls for cross-border transactions.

The RBI’s 2025 Directions aim to enhance the security, reliability, and interoperability of India’s digital payments ecosystem while aligning with global best practices for cross-border transactions.

Author

Paytm Editorial Team

The Paytm Editorial Team is a collaborative group of writers, editors, and industry experts. We're dedicated to bringing you the latest insights, news, and guides on digital payments, financial services, and the technology that's shaping India's economy. We offer easy-to-follow guides and insights to help you explore Paytm’s products, features, and services. Our goal is to provide clear, reliable, and helpful information to empower you on your financial journey.

FAQs

What is the effective date for compliance with RBI’s 2025 Directions?

All Payment System Providers and Participants must comply by April 1, 2026, unless otherwise specified for a particular provision.

Do these directions apply to international transactions?

They primarily apply to domestic digital payments, but card issuers must follow specific rules for cross-border card-not-present transactions by October 1, 2026.

What is two-factor authentication (2FA)?

2FA requires two independent credentials to verify a transaction. One factor must be dynamic for non-card-present transactions, such as a one-time password or biometric verification.

What happens if a payment provider does not comply with these directions?

The issuer is responsible for ensuring compliance. Any losses arising from non-compliant transactions must be fully compensated to the customer.

Can issuers choose which authentication methods to offer customers?

Yes. Issuers may offer a choice of authentication factors, provided they comply with the RBI’s 2FA principles.
something

You May Also Like