loader

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above
Close

Search

See all results for ""

RBI (Authentication Mechanisms for Digital Payments Transactions) Directions, 2025: Balancing Privacy and Security in Digital Payment

03-Oct-2025

Introduction

On 25 September 2025, the Reserve Bank of India (RBI) issued the ‘Authentication Mechanisms for Digital Payment Transactions Directions, 2025’ (Directions) with the objective of strengthening security of digital payments by leveraging technological advancements beyond conventional SMS-based OTPs.

The Directions build upon the announcements made in the RBI’s Statements on Developmental and Regulatory Policies from February 2024 and February 2025 (collectively, “Statements), which underscore measures to enhance the resilience and security of payment systems.   

While the Directions retain the core intent of the Statements, including the adoption of a principles-based framework and the classification of authentication factors, they also introduce several key additions that will have a material impact on practical implementation.

Applicability and Compliance

The Directions apply to all payment system providers and participants, including banks and non-banks (collectively, “PSPs), who are required to ensure compliance by 1 April 2026. While the overarching obligation to comply rests with all PSPs, card issuers carry a specific responsibility to verify the robustness and integrity of authentication mechanisms prior to deployment.

The Directions extend to all domestic digital payment transactions, except where explicit exemptions are provided. At the present, the Directions do not apply to cross-border digital payments transactions, given that such transactions often involve overseas merchants and payment systems outside India’s regulatory jurisdiction.

However, the Directions impose targeted obligations on card issuers in relation to cross-border card-not-present (CNP) transactions (where an authentication request is initiated by an overseas merchant or acquirer), by 1 October 2026.  Additionally, card issuers must implement risk-based authentication mechanisms for all cross-border CNP transactions, whether recurring and non-recurring. 

Non-recurring CNP transactions are typically vulnerable to fraud, for instance when stolen card details are used for a one-time purchase from a foreign merchant. Recurring transactions (such as subscription payments), on the other hand carry lower risk, as they often rely on tokenisation or pre-authorised mandates. The RBI seems to be targeting these one-time transactions by ensuing card issuers verify the cardholder’s identity, reducing unauthorised charges.

Categories of Authentication

The Directions prescribe three categories of authentication factors:

  1. Something the user has (for instance, a physical card, hardware token, SMS-based OTP).
  2. Something the user knows (for instance, a password or a PIN).
  3. Something the user is (for instance, biometric identifiers such as fingerprints or facial recognition).

Principles of Authentication

The Directions prescribe the following three core principles of authentication:

  1. Minimum two factor authentication: Each digital payment transaction (DP Transaction) (except those exempted, such as small-value contactless card transactions, recurring transactions under the e-mandate framework, and gift prepaid instruments) must be authenticated using at least two different factors (AFA). Card issuers may choose to: (i) offer customers the flexibility to choose their preferred authentication factors; and (ii) implement additional checks beyond AFA in line with their internal risk-based policies; while ensuring they meet requirements under the Digital Personal Data Protection Act, 2023 (DPDPA).
  2. One factor must be dynamic or proven: For all DP Transactions (other than card-present transactions involving the physical use of a card), at least one factor of authentication must be either dynamically generated (eg, OTP) uniquely tied to the specific transaction to prevent reuse or capable of being proven (eg, biometric authentication). The inclusion of both “dynamic” and “capable of being proven” reflect the RBI’s intent to provide flexibility while ensuring robust security for non-card-present transactions. 
  3. Every factor to be robust: The Directions require that the two factors of authentication be designed such that the reliability of one does not affect the other, thereby ensuring overall integrity and strength of the authentication process.

Conclusion

The Directions mark a significant and necessary advancement in the digital payments landscape, not only by strengthening security mechanisms, but also by safeguarding user data privacy. The mandated alignment with the provisions of the DPDPA reflects the RBI’s commitment to embedding privacy considerations directly into security design, ensuring that user rights are preserved alongside enhanced controls.

Despite these strengthened measures, certain gaps remain. These include practical implementation challenges, especially in rural areas with limited internet connectivity, potential user friction due to new authentication methods against the conventional OTP-based authentication, and ambiguity arising from the absence of precise definition provided in the Directions for terms like “capable of being proven” or “robustness”.  Such gaps may lead to inconsistent interpretation by industry players and the risk of non-compliance with the Directions.

In order to bridge these gaps, the RBI may consider issuing supplementary guidelines addressing these gaps, along with closely monitoring the compliance with the Directions.

  • Harsh Walia (Partner); Rupendra Gautam (Senior Associate) and Sanskriti Shrivastava (Associate)

For any queries please contact: editors@khaitanco.com

Harsh Walia (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2024 Khaitan & Co. All rights reserved.

Mumbai

One World Centre
10th, 13th & 14th Floor, Tower 1C
841 Senapati Bapat Marg
Mumbai 400 013, India

Mumbai

One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001

Delhi NCR (New Delhi)

Ashoka Estate
11th Floor, 1105 & 1106,
24 Barakhamba Road,
New Delhi 110 001, India

Kolkata

Emerald House
1B Old Post Office Street
Kolkata 700 001, India

Bengaluru

Embassy Quest
3rd Floor
45/1 Magrath Road
Bengaluru 560 025, India

Delhi NCR (Noida)

Max Towers,
7th & 8th Floors,
Sector 16B, Noida
Uttar Pradesh 201 301, India

Chennai

8th Floor,
Briley One No.30
Ethiraj Salai
Egmore
Chennai 600 008, India

Singapore

Singapore Land Tower
50 Raffles Place, #34-02A
Singapore 048623

Pune

Raheja Woods
03-108-111, 3 Floor
8, Central Avenue, Kalyani Nagar
Pune - 411 006, India

Gurugram (Satellite Office)

Suite No. 660
Level 6, Wing B,
Two Horizon Center
Golf Course Road, DLF 5
Sector 43, Gurugram
Haryana 122 002, India

Ahmedabad

1506 - 1508, B-Blockr
Navratna Corporate Parkr
Iscon Ambli Road, Ahmedabadr
Gujarat - 380058