RBI mandates stronger security for digital payments starting April 1, 2026. Two-factor authentication, with at least one dynamic factor, will be mandatory for all domestic transactions

Mumbai: As digital payments become deeply embedded in daily life across India, the Reserve Bank of India (RBI) has announced new measures aimed at bolstering the security of these transactions.
What are the new authentication rules and when will they start?
In February 2024, the RBI outlined its plans to modernise authentication methods across the country’s payment ecosystem. These plans have now been formalised in the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, which will take effect from 1 April 2026.
“All Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with these directions by 1 April 2026, unless otherwise specified for particular provisions,” the RBI stated.
Why is SMS OTP no longer enough?
At present, most digital payments in India rely on SMS-based One Time Passwords (OTPs) as a secondary authentication factor. However, recognising rapid technological progress and the rising sophistication of cyber threats, the RBI now mandates that all digital payments must be secured using at least two distinct factors of authentication.
Critically, at least one of these factors must be dynamic, meaning it is unique for each transaction, to better prevent fraud and unauthorised access.
Who does this apply to and what about international transactions?
The new directions apply to all payment system providers and participants, including banks and non-bank entities, covering all domestic digital payment transactions. Specific provisions have also been introduced for cross-border card-not-present transactions.
Card issuers will be required to implement validation mechanisms for such international transactions by 1 October 2026, enhancing protection for Indian consumers shopping globally.
How will the RBI’s risk-based approach work?
The RBI’s framework emphasises a robust, interoperable, and risk-based approach to authentication. Issuers are encouraged to assess transactions using behavioural patterns, geographic location, and other contextual data to determine when additional authentication is necessary. This layered security model seeks to balance convenience with stringent protection measures.
Who is responsible if security measures fail?
Beyond technical compliance, issuers will be held fully responsible for compensating customers in cases of loss resulting from failure to adhere to these directions. The RBI has also aligned these guidelines with the Digital Personal Data Protection Act, 2023, reinforcing the importance of data privacy alongside payment security.
ANI inputs
Published: 25 Sept 2025, 03:40 pm IST
Related Topics
Subscribe to our Newsletter
Get Latest Mathrubhumi Updates in English
Disclaimer: Kindly avoid objectionable, derogatory, unlawful and lewd comments, while responding to reports. Such comments are punishable under cyber laws. Please keep away from personal attacks. The opinions expressed here are the personal opinions of readers and not that of Mathrubhumi.

