RBI (Authentication Mechanisms for Digital Payments Transactions) Directions, 2025: Balancing Privacy and Security in Digital Payment
Introduction
On 25 September 2025, the Reserve Bank of India (RBI) issued the ‘Authentication Mechanisms for Digital Payment Transactions Directions, 2025’ (Directions) with the objective of strengthening security of digital payments by leveraging technological advancements beyond conventional SMS-based OTPs.
The Directions build upon the announcements made in the RBI’s Statements on Developmental and Regulatory Policies from February 2024 and February 2025 (collectively, “Statements”), which underscore measures to enhance the resilience and security of payment systems.
While the Directions retain the core intent of the Statements, including the adoption of a principles-based framework and the classification of authentication factors, they also introduce several key additions that will have a material impact on practical implementation.
Applicability and Compliance
The Directions apply to all payment system providers and participants, including banks and non-banks (collectively, “PSPs”), who are required to ensure compliance by 1 April 2026. While the overarching obligation to comply rests with all PSPs, card issuers carry a specific responsibility to verify the robustness and integrity of authentication mechanisms prior to deployment.
The Directions extend to all domestic digital payment transactions, except where explicit exemptions are provided. At the present, the Directions do not apply to cross-border digital payments transactions, given that such transactions often involve overseas merchants and payment systems outside India’s regulatory jurisdiction.
However, the Directions impose targeted obligations on card issuers in relation to cross-border card-not-present (CNP) transactions (where an authentication request is initiated by an overseas merchant or acquirer), by 1 October 2026. Additionally, card issuers must implement risk-based authentication mechanisms for all cross-border CNP transactions, whether recurring and non-recurring.
Non-recurring CNP transactions are typically vulnerable to fraud, for instance when stolen card details are used for a one-time purchase from a foreign merchant. Recurring transactions (such as subscription payments), on the other hand carry lower risk, as they often rely on tokenisation or pre-authorised mandates. The RBI seems to be targeting these one-time transactions by ensuing card issuers verify the cardholder’s identity, reducing unauthorised charges.
Categories of Authentication
The Directions prescribe three categories of authentication factors:
- Something the user has (for instance, a physical card, hardware token, SMS-based OTP).
- Something the user knows (for instance, a password or a PIN).
- Something the user is (for instance, biometric identifiers such as fingerprints or facial recognition).
Principles of Authentication
The Directions prescribe the following three core principles of authentication:
- Minimum two factor authentication: Each digital payment transaction (DP Transaction) (except those exempted, such as small-value contactless card transactions, recurring transactions under the e-mandate framework, and gift prepaid instruments) must be authenticated using at least two different factors (AFA). Card issuers may choose to: (i) offer customers the flexibility to choose their preferred authentication factors; and (ii) implement additional checks beyond AFA in line with their internal risk-based policies; while ensuring they meet requirements under the Digital Personal Data Protection Act, 2023 (DPDPA).
- One factor must be dynamic or proven: For all DP Transactions (other than card-present transactions involving the physical use of a card), at least one factor of authentication must be either dynamically generated (eg, OTP) uniquely tied to the specific transaction to prevent reuse or capable of being proven (eg, biometric authentication). The inclusion of both “dynamic” and “capable of being proven” reflect the RBI’s intent to provide flexibility while ensuring robust security for non-card-present transactions.
- Every factor to be robust: The Directions require that the two factors of authentication be designed such that the reliability of one does not affect the other, thereby ensuring overall integrity and strength of the authentication process.
Conclusion
The Directions mark a significant and necessary advancement in the digital payments landscape, not only by strengthening security mechanisms, but also by safeguarding user data privacy. The mandated alignment with the provisions of the DPDPA reflects the RBI’s commitment to embedding privacy considerations directly into security design, ensuring that user rights are preserved alongside enhanced controls.
Despite these strengthened measures, certain gaps remain. These include practical implementation challenges, especially in rural areas with limited internet connectivity, potential user friction due to new authentication methods against the conventional OTP-based authentication, and ambiguity arising from the absence of precise definition provided in the Directions for terms like “capable of being proven” or “robustness”. Such gaps may lead to inconsistent interpretation by industry players and the risk of non-compliance with the Directions.
In order to bridge these gaps, the RBI may consider issuing supplementary guidelines addressing these gaps, along with closely monitoring the compliance with the Directions.
- Harsh Walia (Partner); Rupendra Gautam (Senior Associate) and Sanskriti Shrivastava (Associate)
For any queries please contact: editors@khaitanco.com
We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.
For private circulation only
The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.
© 2024 Khaitan & Co. All rights reserved.
Mumbai
                            One World Centre 
                            10th, 13th & 14th Floor, Tower 1C 
                            841 Senapati Bapat Marg 
                            Mumbai 400 013, India
                        
Mumbai
                            One Forbes
                            3rd & 4th Floors, No. 1
                            Dr. V. B. Gandhi Marg
                            Fort, Mumbai 400 001
                        
Delhi NCR (New Delhi)
                            Ashoka Estate 
                            11th Floor, 1105 & 1106,
                            24 Barakhamba Road,
                            New Delhi 110 001, India
                        
Kolkata
                            
                            Emerald House
                            1B Old Post Office Street
                            Kolkata 700 001, India
                        
Bengaluru
                            Embassy Quest
                            3rd Floor
                            45/1 Magrath Road
                            Bengaluru 560 025, India
                        
Delhi NCR (Noida)
                            Max Towers, 
                            7th & 8th Floors,
                            Sector 16B, Noida
                            Uttar Pradesh 201 301, India
                        
Chennai
                            8th Floor,
                            Briley One No.30 
                            Ethiraj Salai
                            Egmore
                            Chennai 600 008, India
                        
Singapore
                            Singapore Land Tower
                            50 Raffles Place, #34-02A
                            Singapore 048623
                        
Pune
                            Raheja Woods
                            03-108-111, 3 Floor
                            8, Central Avenue, Kalyani Nagar
                            Pune - 411 006, India
                        
Gurugram (Satellite Office)
                            Suite No. 660
                            Level 6, Wing B,
                            Two Horizon Center
                            Golf Course Road, DLF 5
                            Sector 43, Gurugram
                            Haryana 122 002, India
                        
Ahmedabad
                            1506 - 1508, B-Blockr
                            Navratna Corporate Parkr
                            Iscon Ambli Road, Ahmedabadr
                            Gujarat - 380058
                        
 
                                                        
                                                    