Press Release: 2025-2026/1165, Dated 25.09.2025
1. Introduction
The Reserve Bank of India (RBI) has issued the Authentication Mechanisms for Digital Payment Transactions Directions, 2025, setting a comprehensive framework to strengthen the security of digital payments in India. These directions build upon the earlier draft proposals on alternative authentication mechanisms and the additional factor of authentication for Cross-Border Card Not Present (CNP) transactions. The guidelines aim to enhance consumer protection, promote secure digital transactions, and ensure compliance with global best practices.
2. Applicability of the Directions
The new directions are applicable to all Payment System Providers and Participants, covering both banks and non-bank entities engaged in digital payments. They apply to all domestic digital payment transactions, unless a specific exemption is provided. By including the entire ecosystem—issuers, acquirers, and intermediaries—the RBI ensures that security standards are implemented consistently across the payment industry.
3. Principles of Authentication
The framework mandates that each digital payment transaction must be authenticated using at least two distinct factors of authentication. Importantly, issuers are allowed to provide customers the option to select their preferred factors of authentication. For non-card-present transactions, at least one factor must be dynamic and unique to that particular transaction. The directions further require that the compromise of one authentication factor must not reduce the reliability of the other, thereby ensuring layered security for transactions.
4.Interoperability, Risk-Based Approach, and Issuer Responsibilities
To promote innovation and inclusivity, the RBI has directed that authentication and tokenisation services must remain open and interoperable, accessible to all applications, token requestors, channels, and storage mechanisms. At the same time, issuers are encouraged to adopt a risk-based approach, assessing transactions based on behavioural and contextual indicators such as device details, location, user behaviour, and transaction history. For high-risk transactions, issuers may introduce additional checks, including using DigiLocker for notifications and confirmations. Crucially, issuers bear full responsibility for ensuring the integrity of authentication mechanisms and must compensate customers for any losses arising from non-compliance with these directions.
5. Conclusion
Through the issuance of these directions, the RBI has reinforced its commitment to securing India’s rapidly expanding digital payment ecosystem. By mandating multi-factor authentication, promoting interoperability, and placing clear accountability on issuers, the framework ensures robust consumer protection and builds trust in digital payments. Coupled with compliance under the Digital Personal Data Protection Act, 2023, these measures align India’s financial sector with international standards while fostering safe, reliable, and inclusive digital transactions.
Click Here To Read The Full Press Release
The post RBI Issues Directions on Authentication for Digital Payments appeared first on Taxmann Blog.
