RBI issues Directions on Framework on Authentication Mechanisms for Digital Payment Transactions

The Reserve Bank of India (RBI) has today issued Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025.

RBI had issued draft directions on Alternative Authentication Mechanisms for Digital Payment Transactions on July 31, 2024 and draft directions on introduction of Additional Factor of Authentication (AFA) in cross-border Card Not Present (CNP) transactions on February 07, 2025, for stakeholder comments.

RBI took feedback from public on draft guidelines and now RBI has released the final circular. RBI has focussed on following points in this circular:

1. Encouraging introduction of new factors of authentication by leveraging upon technological advancements. The framework, however, does not call for discontinuation of SMS based OTP as an authentication factor.
2. Enabling issuers to adopt additional risk-based checks beyond the minimum two-factor authentication based on the fraud risk perception of the underlying transaction.
3. Facilitating interoperability and open access to technology
4. Delineating the responsibility of Issuers.
5. Mandating card issuers to validate AFA in non-recurring cross-border CNP transactions whenever such a request is raised by the overseas merchant or acquirer.

These directions shall be complied with by April 01, 2026, unless indicated otherwise for any particular direction.

Important Directions in Circular

All digital payment transactions shall be authenticated by at least two distinct factors of authentication as defined in paragraph-5(f), unless exempted. Some Exemptions have been provided and same are available in circular given below.

It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction.

System Providers and System Participants shall offer authentication or tokenisation service that is accessible to all the applications or token requestors functioning in that operating environment for all use cases, channels, or token storage mechanisms.

Issuers may, in line with their internal risk management policies, identify transactions for evaluation against behavioural or contextual parameters such as transaction location, user behaviour patterns, device attributes, and historical transaction profile. Based on the perceived risk associated with the transaction, additional checks beyond the minimum two-factor authentication may be applied. Issuers may also explore using DigiLocker as a platform for notification and confirmation for high-risk transactions.

The directions outlined above are not applicable to cross-border digital payment transactions. However, card issuers shall, by October 1, 2026, put in place a mechanism to validate non-recurring, cross-border card-not-present (CNP) transactions, where a request for authentication is raised by an overseas merchant or overseas acquirer. To ensure compliance, card issuers shall register their Bank Identification Numbers (BINs) with card networks.

Further, a risk-based mechanism for handling all cross-border CNP transactions shall also be put in place by card issuers by October 1, 2026.

Click here to download Circular