RBI Issues New Directions To Boost Digital Payment Security From April 2026

As digital payments become an integral part of everyday life in India, the Reserve Bank of India (RBI) has taken a significant step to enhance the security of these transactions. The RBI, in February 2024, had announced its intention to modernize the authentication mechanisms used across the country's payment ecosystem. This vision was formalized in the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, which will come into effect on April 1, 2026.

"All Payment System Providers and Payment System Participants, including banks and non-bank entities, shall ensure compliance with these directions by April 01, 2026, unless indicated otherwise for any specific provision herein," RBI said in a statement.

Currently, most digital payments in India rely on SMS-based One Time Passwords (OTP) as a second factor of authentication. However, recognizing the rapid advancements in technology and the evolving landscape of cyber threats, the RBI has mandated that all digital payments must now be secured by at least two distinct factors of authentication. Importantly, at least one factor must be dynamic--unique to each transaction--to prevent fraud and unauthorized access.

These directions apply to all payment system providers and participants, including banks and non-bank entities, covering all domestic digital payment transactions, with specific provisions for cross-border card-not-present transactions. For the latter, card issuers must implement mechanisms by October 1, 2026, to validate international transactions where the card is not physically present, further safeguarding Indian consumers shopping globally.

The RBI's framework emphasizes robustness, interoperability, and a risk-based approach. Issuers are encouraged to evaluate transactions based on behavior patterns, location, and other contextual data to decide if additional authentication is required. This flexible, layered security model aims to balance convenience and protection.

In addition to technical requirements, issuers bear full responsibility for compensating customers in case of losses arising from non-compliance with the directions. The RBI also aligns these directions with the Digital Personal Data Protection Act, 2023, reinforcing data privacy alongside payment security.

With these new directions, the RBI is steering India's digital payment ecosystem toward a safer, more resilient future building trust and confidence for millions of users nationwide.

(Except for the headline, this story has not been edited by Asianet Newsable English staff and is published from a syndicated feed.)

MENAFN25092025007385015968ID1110109893