Mumbai: As digital payments become deeply embedded in daily life across India, the Reserve Bank of India (RBI) has announced new measures aimed at bolstering the security of these transactions.

What are the new authentication rules and when will they start?

In February 2024, the RBI outlined its plans to modernise authentication methods across the country’s payment ecosystem. These plans have now been formalised in the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, which will take effect from 1 April 2026.

“All Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with these directions by 1 April 2026, unless otherwise specified for particular provisions,” the RBI stated.

Why is SMS OTP no longer enough?

At present, most digital payments in India rely on SMS-based One Time Passwords (OTPs) as a secondary authentication factor. However, recognising rapid technological progress and the rising sophistication of cyber threats, the RBI now mandates that all digital payments must be secured using at least two distinct factors of authentication.

Critically, at least one of these factors must be dynamic, meaning it is unique for each transaction, to better prevent fraud and unauthorised access.

Who does this apply to and what about international transactions?

The new directions apply to all payment system providers and participants, including banks and non-bank entities, covering all domestic digital payment transactions. Specific provisions have also been introduced for cross-border card-not-present transactions.

Card issuers will be required to implement validation mechanisms for such international transactions by 1 October 2026, enhancing protection for Indian consumers shopping globally.

How will the RBI’s risk-based approach work?

The RBI’s framework emphasises a robust, interoperable, and risk-based approach to authentication. Issuers are encouraged to assess transactions using behavioural patterns, geographic location, and other contextual data to determine when additional authentication is necessary. This layered security model seeks to balance convenience with stringent protection measures.

Who is responsible if security measures fail?

Beyond technical compliance, issuers will be held fully responsible for compensating customers in cases of loss resulting from failure to adhere to these directions. The RBI has also aligned these guidelines with the Digital Personal Data Protection Act, 2023, reinforcing the importance of data privacy alongside payment security.

ANI inputs