RBI Sets New Rules for Secure Digital Payments from April 2026

The Reserve Bank of India has recently released guidelines on the authentication mechanism framework for digital payment transactions. These directions will come into effect from April 1, 2026 mark an important step towards strengthening the security of digital payments while enabling the adoption of advanced authentication methods.

These directions introduce updated principles for authentication, risk management, and customer protection across domestic digital transactions, while also extending safeguards to specific cross-border card payments.

Why Has RBI Issued These Directions?

Digital payments in India have long followed the two-factor authentication (2FA) norm, with SMS-based OTPs being the most widely used method. However, with advancements in technology and the need for more secure, dynamic, and customer-friendly solutions, RBI is encouraging the ecosystem to adopt alternative authentication mechanisms.

These directions not only cover domestic digital transactions but also outline specific measures for cross-border card transactions, aligning with global payment security standards.

Effective Date and Applicability

RBI issued guidelines on authentication mechanism framework will come into effect soon, here is the effective date and applicability- 

• The directions will come into effect from April 1, 2026.
• They apply to all Payment System Providers and Participants, including both banks and non-bank entities.
• While primarily aimed at domestic transactions, certain provisions extend to cross-border Card-Not-Present (CNP) transactions using Indian-issued cards.

Core Principles for Authentication

According to the central bank, authentication factors can be something the user has, something the user knows, or something the user is and may include, among other things, password, SMS-based OTP, PIN, card hardware, fingerprint, or any other form of biometrics.

RBI has set out broad principles for digital payment authentication:

Minimum Two Factors of Authentication

• All digital transactions must use at least two distinct factors of authentication.
• Issuers may provide customers with a choice of authentication factors.

At Least One Dynamic Factor

• For non-card-present transactions, one authentication factor must be dynamically generated and unique to each transaction (e.g., OTP, token).

Robustness

Compromise of one factor must not weaken the reliability of the other.

RBI’s Risk-based Checks for Digital Payment Transactions

According to the RBI, issuers may identify transactions for examination against behavioural / contextual characteristics such as transaction location, user behaviour patterns, device features, historical transaction profile, and so on in accordance with their internal risk management rules. 

According to the RBI's Directions given on September 25, 2025, depending on the perceived risk connected with the transaction, extra checks above the required two-factor authentication may be implemented. Issuers may also consider using DigiLocker to notify and confirm high-risk transactions.

Cross-Border Transactions – New Requirements

The RBI also requires card issuers to implement a risk-based framework for handling all cross-border CNP transactions by October 1, 2026. While the directions largely focus on domestic payments, the RBI has established new guidelines for cross-border CNP transactions: 

• By October 1, 2026, card issuers must implement mechanisms to validate non-recurring international transactions.
• Issuers must also adopt a risk-based mechanism for handling such transactions and register their Bank Identification Numbers (BINs) with card networks.

According to the RBI, all digital payments in India must comply with the two-factor authentication standard. While no specific factor was required for authentication, the digital payments ecosystem has typically used SMS-based One Time Password (OTP) as an additional factor.

Conclusion

The RBI Authentication Mechanisms for Digital Payment Transactions Directions, 2025 mark a crucial step in making India’s digital payment ecosystem more secure, dynamic, and globally aligned. As digital payments continue to grow, these guidelines will help India building a safe, inclusive, and future-ready payment infrastructure.