RBI (Authentication Mechanisms For Digital Payment Transactions) Directions, 2025: Balancing Privacy And Security In Digital Payment

Introduction

On 25 September 2025, the Reserve Bank of India (RBI) issued the 'Authentication Mechanisms for Digital Payment Transactions Directions, 2025' (Directions) with the objective of strengthening security of digital payments by leveraging technological advancements beyond conventional SMS-based OTPs.

The Directions build upon the announcements made in the RBI's Statements on Developmental and Regulatory Policies from February 2024 and February 2025 (collectively, "Statements"), which underscore measures to enhance the resilience and security of payment systems.

While the Directions retain the core intent of the Statements, including the adoption of a principles-based framework and the classification of authentication factors, they also introduce several key additions that will have a material impact on practical implementation.

Applicability and Compliance

The Directions apply to all payment system providers and participants, including banks and non-banks (collectively, "PSPs"), who are required to ensure compliance by 1 April 2026. While the overarching obligation to comply rests with all PSPs, card issuers carry a specific responsibility to verify the robustness and integrity of authentication mechanisms prior to deployment.

The Directions extend to all domestic digital payment transactions, except where explicit exemptions are provided. At the present, the Directions do not apply to cross-border digital payments transactions, given that such transactions often involve overseas merchants and payment systems outside India's regulatory jurisdiction.

However, the Directions impose targeted obligations on card issuers in relation to cross-border card-not-present (CNP) transactions (where an authentication request is initiated by an overseas merchant or acquirer), by 1 October 2026. Additionally, card issuers must implement risk-based authentication mechanisms for all cross-border CNP transactions, whether recurring and non-recurring.

Non-recurring CNP transactions are typically vulnerable to fraud, for instance when stolen card details are used for a one-time purchase from a foreign merchant. Recurring transactions (such as subscription payments), on the other hand carry lower risk, as they often rely on tokenisation or pre-authorised mandates. The RBI seems to be targeting these one-time transactions by ensuing card issuers verify the cardholder's identity, reducing unauthorised charges.

Categories of Authentication

The Directions prescribe three categories of authentication factors:

1. Something the user has (for instance, a physical card, hardware token, SMS-based OTP).
2. Something the user knows (for instance, a password or a PIN).
3. Something the user is (for instance, biometric identifiers such as fingerprints or facial recognition).

Principles of Authentication

The Directions prescribe the following three core principles of authentication:

1. Minimum two factor authentication: Each digital payment transaction (DP Transaction) (except those exempted, such as small-value contactless card transactions, recurring transactions under the e-mandate framework, and gift prepaid instruments) must be authenticated using at least two different factors (AFA). Card issuers may choose to: (i) offer customers the flexibility to choose their preferred authentication factors; and (ii) implement additional checks beyond AFA in line with their internal risk-based policies; while ensuring they meet requirements under the Digital Personal Data Protection Act, 2023 (DPDPA).
2. One factor must be dynamic or proven: For all DP Transactions (other than card-present transactions involving the physical use of a card), at least one factor of authentication must be either dynamically generated (eg, OTP) uniquely tied to the specific transaction to prevent reuse or capable of being proven (eg, biometric authentication). The inclusion of both "dynamic" and "capable of being proven" reflect the RBI's intent to provide flexibility while ensuring robust security for non-card-present transactions.
3. Every factor to be robust: The Directions require that the two factors of authentication be designed such that the reliability of one does not affect the other, thereby ensuring overall integrity and strength of the authentication process.

Conclusion

The Directions mark a significant and necessary advancement in the digital payments landscape, not only by strengthening security mechanisms, but also by safeguarding user data privacy. The mandated alignment with the provisions of the DPDPA reflects the RBI's commitment to embedding privacy considerations directly into security design, ensuring that user rights are preserved alongside enhanced controls.

Despite these strengthened measures, certain gaps remain. These include practical implementation challenges, especially in rural areas with limited internet connectivity, potential user friction due to new authentication methods against the conventional OTP-based authentication, and ambiguity arising from the absence of precise definition provided in the Directions for terms like "capable of being proven" or "robustness". Such gaps may lead to inconsistent interpretation by industry players and the risk of non-compliance with the Directions.

In order to bridge these gaps, the RBI may consider issuing supplementary guidelines addressing these gaps, along with closely monitoring the compliance with the Directions.

The content of this document does not necessarily reflect the views / position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up, please contact Khaitan & Co at editors@khaitanco.com.