RBI mandates two-factor authentication for all digital payments from April 2026
25 Sep 2025, 03:10 PMFor digital payments at least one of the factors of authentication must be dynamically created that is unique to that transaction.
Team Head&Tale
Share the story on
The Reserve Bank of India has issued final guidelines for authentication mechanisms in digital payment transactions. According to the guidelines, all digital payment transactions in the country are mandated to be authenticated using at least two factors of verification from 1 April 2026.
"All payment system providers and payment system participants , including banks and non-bank entities, shall ensure compliance these directions," the RBI's 'Authentication Mechanisms for Digital Payment Transactions Directions, 2025' guidelines stated.
The country's digital payments ecosystem has primarily relied on SMS-based one-time passwords (OTPs) as an additional layer of security.
The RBI guidelines stated that authentication factors may comprise password, SMS-based OTP, passphrase, PIN, card hardware, software token, fingerprint, or other biometric methods. Issuers may offer customers a choice of factors, provided they comply with the directions.
"It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction," it added.
The central bank said the new mechanism allows issuers to adopt risk-based approach beyond the minimum two-factor authentication. Issuers may also explore using DigiLocker as a platform for notification and confirmation for "high-risk transactions."
If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer fully.
The directions is not applicable to cross-border digital payment transactions.
However, by 1 October 2026, card issuers must enable authentication to validate non-recurring, cross-border card not present (CNP) transactions, where request for authentication is raised by an overseas merchant or overseas acquirer, the RBI said.
To ensure compliance, card issuers must register their Bank Identification Numbers (BINs) with card networks. Further, a risk-based mechanism for handling all cross-border CNP transactions shall also be put in place by card issuers by October 1, 2026.
The RBI also emphasized interoperability and open access in authentication and tokenisation services.
Who Reads Us
“I enjoy reading The Head and Tale for their coverage on the Fintech landscape. The reporting is incisive and honest, and it demonstrates a sharp understanding of the industry and the issues that concern it. I'd like to extend my best wishes to Arti for her continued success.”
“Well-researched, informative and analysis based reporting makes an interesting read. 'The Head and Tale' news portal has been demonstrating this quite well covering fintech and emerging tech sectors. Their timely updates, exclusive stories and different perspectives on these sectors help me stay informed. Kudos to Arti Singh for pursuing her passion and best wishes to the team.”
“The Head and Tale stands out for its deep industry knowledge and impressive network of sources. I especially appreciate that the reporting remains independent, rarely resorting to paid puff pieces, making it a publication I can genuinely trust. Having followed Arti’s work for years, I’ve come to rely on The Head and Tale for its unparalleled insight and truly independent coverage. Arti’s long-standing presence in the sector means her reporting is always informed, with access few can match.”
“What I really appreciate about The Head and Tale is that it doesn’t just report the news, it interprets it. The stories are well-researched, comprehensive, and bold. Arti brings a fearless lens to reporting, often asking the uncomfortable but necessary questions. She makes you pause, reflect, and rethink what it all means for the payments and fintech ecosystem. It’s rare to find journalism that’s this sharp, timely, and relevant to the work we do every day.”
“I’ve always valued journalism that goes beyond surface-level headlines. The Head and Tale does exactly that - it connects the dots, asks the tough questions, and brings clarity to the shifts shaping our evolving industry. I’ve even encouraged my team members to subscribe, because staying informed through credible, deeply reported stories is as important as building products. For me, The Head and Tale has become part of essential reading.”
Related News
