The Reserve Bank of India (RBI) has released the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, following consultations on draft guidelines issued in July 2024 and February 2025.
The new directions aim to strengthen the security of digital payments while encouraging innovation. They allow the introduction of new authentication factors leveraging technology advancements but do not mandate discontinuation of SMS-based OTPs. Issuers are also permitted to implement additional risk-based checks beyond the minimum two-factor authentication, depending on the fraud risk associated with a transaction.
The framework promotes interoperability and open access to technology, clarifies the responsibilities of issuers, and requires card issuers to validate Additional Factor of Authentication (AFA) for non-recurring cross-border Card Not Present (CNP) transactions if requested by the overseas merchant or acquirer.
All directions are to be implemented by April 1, 2026, unless specified otherwise.