New Delhi, Sep 25 The Reserve Bank of India (RBI) on Thursday released draft guidelines on the authentication mechanism framework for digital payment transaction authentication that will come into effect from April 1, 2026.
The Central Bank said the feedback from the public has been examined and suitably incorporated in the final directions.
The directions focus on encouraging introduction of new factors of authentication by leveraging upon technological advancements.
The framework, however, does not call for discontinuation of SMS-based OTP as an authentication factor.
The aim is also to enable issuers to adopt additional risk-based checks beyond the minimum two-factor authentication based on the fraud risk perception of the underlying transaction and facilitate interoperability and open access to technology, along with delineating the responsibility of Issuers.
The draft guidelines also mandate card issuers to validate AFA in non-recurring cross-border CNP transactions whenever such a request is raised by the overseas merchant or acquirer.
The RBI says that all digital payment transactions in India are required to meet the norm of two factors of authentication. While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based One Time Password (OTP) as the additional factor.
“All digital payment transactions shall be authenticated by at least two distinct factors of authentication, unless exempted. Issuers may, at their discretion, offer a choice of authentication factors to their customers in compliance with these directions,” according to the RBI.
“It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction. The factor of authentication shall be such that compromise of one factor does not affect reliability of the other,” it further added.
Also, system providers and system participants will offer authentication or tokenisation service that is accessible to all the applications and token requestors functioning in that operating environment for all use cases and channels or token storage mechanisms.
Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor