Digital Payment Transactions Regulations by RBI

The Reserve Bank of India (RBI) has introduced the Authentication Mechanisms for Digital Payment Transactions Directions, 2025. These regulations will come into effect on April 1, 2026, impacting all providers of payment services, including banks and fintech companies. Currently, digital payments in India primarily utilise SMS-based OTPs. The new regulations broaden the scope of authentication options to include biometrics, device-based tokens, and passphrases. Each transaction is required to have a minimum of two distinct authentication factors, with at least one being dynamic and unique to that particular transaction.

Interoperability and Responsibility

The RBI has highlighted the importance of interoperability, mandating that authentication and tokenisation services function across all applications and channels. Payment issuers are also permitted to enforce additional checks based on risk considerations, such as unusual device usage or atypical transaction patterns.

Issuer Accountability

Moreover, issuers will be held accountable for the robustness of their authentication mechanisms. Any losses resulting from non-compliance must be fully reimbursed to customers. The regulations also require adherence to the Digital Personal Data Protection Act, 2023.

Cross-Border Transaction Requirements

For cross-border transactions, the framework mandates that Indian card issuers put mechanisms in place to validate non-recurring “card-not-present” transactions by October 1, 2026. They are also required to carry out risk-based assessments for all such cross-border transactions and to register their Bank Identification Numbers (BINs) with card networks.

Exemptions

Exemptions from two-factor authentication will persist for certain cases, such as small offline payments, recurring e-mandates, and transactions related to transit. The RBI has also retracted multiple older circulars concerning card security, consolidating all regulations under this unified framework.

According to Vishwas Patel, Chair of the Payments Council of India and Joint Managing Director of Infibeam Avenues, the clarity and flexibility offered by these regulations will empower issuers and payment providers to adopt next-generation technologies such as biometrics, tokenisation, and contextual risk assessments. By prioritising security, the RBI has laid the foundation for a safer, simpler, and more inclusive digital payments landscape for consumers and businesses alike.