The Reserve Bank of India (“RBI”) has issued the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 (“Directions”), which lay down broad principles to be followed by all payment system providers and participants when implementing authentication mechanisms for digital payment transactions.
While existing regulations mandated two-factor authentication, it did not specify the type of authentication factor that ought to be implemented. In contrast, these Directions detail out what a “factor of authentication” ought to be and require that at least one factor be dynamic in nature. These Directions reflect the RBI’s intent to facilitate the adoption of advanced technologies by payment system participants through a framework that supports the implementation of alternative and innovative authentication methods.
1. Timeline: All payment system providers and participants to ensure compliance by April 01, 2026.
2. Scope: The Directions apply to all domestic digital payment transactions, except the following:
a. Small-value contactless card transactions: Transactions of a value upto INR 5000
b. Recurring transactions (other than the first) under the e-mandate framework:
c. Small value digital payments in offline mode:
d. Other transactions like payments made through select Prepaid Instruments such as PPI-MTS and Gift PPIs, NETC transactions, and payments for travel booking involving Global Distribution System / IATA through commercial / corporate cards.
3. Distinct authentication factors: The guidelines mandate the players to adopt two distinct authentication factors, i.e., these factors must each fall under different categories: “something the user knows,” “something the user is,” or “something the user has.”
4. Requirement for One Dynamic Authentication Factor: Unlike the earlier draft guidelines, the RBI now clarifies that a factor can either be dynamically created or dynamically proven – i.e., the proof of possession must be unique to each transaction. It remains to be seen whether the widely used method of device binding will qualify as a dynamic authentication mode and continue to operate without disruption or if the players will turn to newer technologies like FIDO to meet these requirements.
5. Risk-based approach: Issuers are permitted to adopt a risk-based approach, allowing them to conduct additional checks beyond the required two-factor authentication. Furthermore, issuers can explore the use of DigiLocker as a platform for notification and confirmation of high-risk transactions.
6. Cross-border transactions: While the guidelines exclude cross-border digital payment transactions, card issuers must, by October 1, 2026, implement a mechanism, to validate non-recurring, cross border card-not-present (CNP) transactions, if required by an overseas merchant or acquirer. As part of this, issuers must register their Bank Identification Number with the card networks.
7. Liability to the customers: The issuers will be held fully liable for any losses incurred by their customers arising from transactions that fail to comply with these Directions.
8. Interoperability: The Directions require system participants and service providers to offer authentication and tokenisation services that are accessible across all applications and token requestors within the same operating environment, covering all use cases, channels, and token storage mechanisms.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.