The Reserve Bank of India has notified the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, establishing a comprehensive framework for secure and technology-neutral authentication of all domestic digital payment transactions.
These Directions, issued under Sections 18 and 10(2) of the Payment and Settlement Systems Act, 2007, aim to enhance security, promote innovation, and ensure consistency across payment channels.
Key Highlights:
- Minimum Two-Factor Authentication (2FA): All digital payments must be authenticated through at least two factors.
- Encouragement of New Authentication Factors: Entities can adopt innovative technologies (biometrics, tokens, passphrases, etc.) while continuing SMS-based OTP as a valid factor.
- Dynamic Factor Requirement: At least one factor must be dynamically generated or proven, ensuring transaction uniqueness.
- Risk-Based Authentication: Issuers may adopt additional checks based on behavioural or contextual risk indicators (e.g., device data, transaction history, location).
- Customer Compensation: Issuers must fully compensate customers for losses arising from non-compliance with these Directions.
- Cross-Border Transactions: Card issuers must validate AFA for non-recurring cross-border Card-Not-Present (CNP) transactions whenever requested by overseas merchants/acquirers, and implement risk-based controls by October 1, 2026.
- Interoperability & Open Access: All authentication/tokenisation services must remain interoperable and accessible across applications within the operating environment.
- Data Protection Compliance: Issuers are required to adhere to the Digital Personal Data Protection Act, 2023.
Implementation Timeline: All payment system providers and participants must ensure compliance by April 1, 2026, unless otherwise specified.
The Directions also repeal several legacy circulars on card transaction security and AFA issued between 2009 and 2016, consolidating them under a single, unified framework.
Why this matters: The 2025 Directions mark a pivotal shift from prescriptive norms to a principle-based, risk-sensitive, and innovation-friendly authentication regime, balancing security, customer convenience, and technological progress in India’s growing digital economy.
The link to the Directions is available here: https://website.rbi.org.in/en/web/rbi/-/notifications/reserve-bank-of-india-authentication-mechanisms-for-digital-payment-transactions-directions-2025
Readers are welcome to share their views on info@regstreetlaw.com
