RBI issues new rules for authentication of digital payments

Importantly, issuers will be held responsible for the strength of authentication systems. Any loss from non-compliance must be fully compensated to customers.

25 Sep 2025 16:07 IST

New Update

The Reserve Bank of India (RBI) has released the Authentication Mechanisms for Digital Payment Transactions Directions, 2025. The rules will take effect from April 1, 2026, and apply to all payment providers, including banks and fintech firms.

At present, digital payments in India rely mainly on SMS-based OTPs. The new rules expand authentication options to include biometrics, device-based tokens, and passphrases. Every transaction must have at least two distinct factors of authentication, and one must be dynamic, unique to that transaction.

The RBI has stressed interoperability, requiring authentication and tokenization services to work across all apps and channels. Issuers can also apply extra checks based on risk factors, such as unusual device use or abnormal transaction patterns.

Importantly, issuers will be held responsible for the strength of authentication systems. Any loss from non-compliance must be fully compensated to customers. The rules also mandate compliance with the Digital Personal Data Protection Act, 2023.

For cross-border transactions, the framework requires Indian card issuers to establish mechanisms for validating non-recurring “card-not-present” transactions by October 1, 2026. They must also implement risk-based checks for all such cross-border transactions and register their Bank Identification Numbers (BINs) with card networks.

Exemptions from two-factor authentication—such as for small offline payments, recurring e-mandates, and transit-related transactions—will remain. The RBI has also withdrawn several older circulars on card security, bringing all norms under this single framework.

“.... The clarity and flexibility provided will enable issuers and payment players to embrace next-generation tools like biometrics, tokenisation, and contextual risk checks. By keeping security at the core, the RBI has paved the way for a safer, simpler, and more inclusive digital payments experience for both consumers and businesses,” said Vishwas Patel, Chair, Payments Council of India & Jt. Managing Director, Infibeam Avenues

RBI

Disclaimer:

Bareback Media has recently raised funding from a group of investors. Some of the investors may directly or indirectly be involved in a competing business or might be associated with other companies we might write about. This shall, however, not influence our reporting or coverage in any manner whatsoever. You may find a list of our investors here.