The Reserve Bank of India has issued final guidelines for authentication mechanisms in digital payment transactions. According to the guidelines, all digital payment transactions in the country are mandated to be authenticated using at least two factors of verification from 1 April 2026.

"All payment system providers and payment system participants , including banks and non-bank entities, shall ensure compliance these directions," the RBI's 'Authentication Mechanisms for Digital Payment Transactions Directions, 2025' guidelines stated.

The country's digital payments ecosystem has primarily relied on SMS-based one-time passwords (OTPs) as an additional layer of security. 

The RBI guidelines stated that authentication factors may comprise password, SMS-based OTP, passphrase, PIN,  card hardware, software token, fingerprint, or other biometric methods. Issuers may offer customers a choice of factors, provided they comply with the directions.

"It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction," it added.

The central bank said the new mechanism allows issuers to adopt risk-based approach beyond the minimum two-factor authentication. Issuers may also explore using DigiLocker as a platform for notification and confirmation for "high-risk transactions."

If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer fully.

The directions is not applicable to cross-border digital payment transactions. 

However, by 1 October 2026, card issuers must enable authentication to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer, the RBI said.

To ensure compliance, card issuers must register their Bank Identification Numbers (BINs) with card networks. Further, a risk-based mechanism for handling all cross-border CNP transactions shall also be put in place by card issuers by October 1, 2026.

The RBI also emphasized interoperability and open access in authentication and tokenisation services.