Reserve Bank of India Issues Directions on Authentication Mechanisms for Digital Payment Transactions, 2025

Introduction

On September 25, 2025, the Reserve Bank of India (“RBI”) released the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 (“Directions”), under a notification dated September 25, 2025. The Directions, issued under Section 18 in conjunction with Section 10(2) of the Payment and Settlement Systems Act, 2007, create a uniform and technology-neutral framework for authentication in digital payments across India.

Explanation

The new policy has been published in recognition of the changing digital payment context in India and the increasing need for better security and user-friendly authentication options. Two-factor authentication (“2FA”) has been a foundational component of India’s digital payment security framework for well over a decade, but this framework has relied extensively on SMS-based one-time passwords (“OTPs”) as the second factor, which is increasingly vulnerable to compromise from various attacks, including phishing, SIM swapping, and connectivity issues. With that in mind, the RBI’s new directions seek to modernize the authentication process by permitting participants to utilize alternative technologies, including biometric authentication, device-based tokens, and cryptographic credentials. These new authentication technologies should provide users with a better balance of convenience and security when using digital financial services.

Although the primary focus is domestic payments, the Reserve Bank of India has also issued similar provisions for internationally conscious card payments using cards issued in India to provide similar safety features for online cross-border payments. Under this direction, all digital transactions should be authenticated through a minimum of two separate authentication methods from the categories: “something the user knows,” “something the user has,” or “something the user is.” These may be a password, PIN, hardware or software token, fingerprint, or biometric characteristics. The Reserve Bank of India explicitly states that at least one of the authentication factors must be dynamic and unique to each transaction to support real-time security and minimize replay attacks. Additionally, the directions also specify that the authentication feedback must be considered strong, in that the compromise of one factor does not compromise the reliability of the other.

A significant aspect of the new directions is the focus on interoperability and open access. System providers and participants must make authentication and tokenisation services available across all applications operating in a given environment. This move supports the RBI’s broader goal of establishing open, inclusive, and innovation-friendly financial infrastructure.

The rules adopt a risk-based style of authentication, allowing issuers to evaluate the level of assurance needed based on the risk profile of individual transactions. Issuers are expected to evaluate transactions based on behavioural and contextual factors, such as an individual user’s location, historical payment patterns and behavioural information about devices used during payment processes. High-risk transactions may require further layers of authentication, while low-risk or habitual transactions may only require a few steps for verification or be extremely streamlined. The RBI has also tried a new approach to “by relying on DigiLocker to alert or notify for high-value or high-risk typical transactions to an individual” but could allow regulatory oversight of all transactions while also taking advantage of India’s digital public infrastructure, which is still under construction.

Another important provision relates to issuer liability. The RBI has squarely retained responsibility with issuers for the safety and reliability of protections for authentication. If a loss occurs due to an issuer’s non-compliance with the directions, the issuer will compensate customers for the entire loss without undue delay or argument. This will inspire consumers to have confidence in the digital financial system while also providing trust as to the responsibility of service providers. Moreover, issuers will be expected to be in compliance with the Digital Personal Data Protection Act, 2023 so that the authentication process is governed by data privacy and data security requirements.

By October 1, 2026, card issuers must have processes in place to authenticate cross-border card-not-present (“CNP”) transactions made by foreign merchants or acquirers that are non-recurring. Issuers will also be required to register their Bank Identification Numbers (“BINs”) with the card networks and implement risk-based methods for monitoring and verifying such transactions. These measures are intended to safeguard against fraud and to improve the regulatory oversight of cross-border payments.

The 2025 directions also clearly consolidate and rescind a set of earlier circulars that dealt with card safety, additional factors of authentication, and reducing risk issued between 2009 and 2016. By combining these inconsistent guidelines into one cohesive document, the RBI has simplified the regulatory environment and eliminated redundancy. Furthermore, by removing layers of outdated and sophisticated processes, the consolidated directions ensure that all regulated entities adhere to the same benchmark for authentication safety and consumer protection.

Conclusion

The Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025 mark a significant step forward in federal regulation within India’s financial system. The new set of principles achieves alignment between security and convenience, allowing payment providers to pilot a variety of new technologies, including biometrics, behavioural analytics, and tokenization, without diminishing expectations of the user baseline.