RBI Directions, 2025 on Digital Payment Authentication

RBI Directions, 2025 on Digital Payment Authentication

RBI Directions, 2025 on Digital Payment Authentication

The issuance of the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, dated September 25, 2025, represents a significant statutory intervention designed to modernize and standardize security protocols across India’s digital payment ecosystem. These Directions signal a fundamental shift from technology-specific requirements to a unified, principle-based authentication framework.

Legal Foundation, Scope, and Regulatory Consolidation

The Statutory Mandate and Applicability

The legal authority underwriting these Directions is firmly established by the Payment and Settlement Systems (PSS) Act, 2007. Specifically, the mandate is issued under Section 18 read with Section 10(2) of the PSS Act, 2007, which empowers the Reserve Bank of India (RBI) to issue necessary directions to Payment System Providers (PSPs) and participants to ensure the secure and efficient functioning of payment systems.

The scope of these regulations is broad, applying comprehensively to all Payment System Providers and Payment System Participants, encompassing both banking and non-bank entities. They govern all domestic digital payment transactions, defined as “Electronic Funds Transfer” under the PSS Act, 2007. All regulated entities must ensure full compliance with these Directions by the deadline of April 01, 2026, unless a different date is stipulated for a specific provision. Non-compliance can lead to penalties outlined in the PSS Act, 2007.

Regulatory Consolidation through Repeal

The 2025 Directions are an exercise in regulatory consolidation, explicitly repealing eight distinct circulars and directions that were previously issued between February 2009 and December 2016. These repealed circulars addressed various piecemeal security concerns, such as specific security issues for Credit/Debit Card transactions and prior guidelines concerning Additional Factor of Authentication (AFA) relaxations. This repeal establishes the 2025 Directions as the definitive and sole standard for authentication, eliminating compliance ambiguity.

Defining the New Authentication Baseline: Principles of Security and Flexibility

The core legal strength of the 2025 Directions resides in establishing three mandatory and technology-neutral principles for validating payment instructions.

The Mandate for Minimum Two Factors of Authentication (2FA)

The foundational security requirement remains the necessity for a minimum of two distinct factors of authentication for all digital payment transactions, unless a recognized exemption is in force. A Factor of Authentication must be sourced from three mutually exclusive categories: “something the user has” (e.g., card hardware, software token), “something the user knows” (e.g., password, PIN), or “something the user is” (e.g., fingerprint, biometrics, Aadhaar based verification). Issuers retain the discretion to offer a choice of compliant authentication factors to their customers.

The Critical Requirement of Dynamic Factor Authentication (DFA)

For all digital payment transactions, with the sole exception of Card Present transactions, the Directions require that at least one of the factors of authentication must be dynamically created or proven. The proof of possession of the chosen factor, transmitted as part of the transaction, must be unique to that transaction. This mandate targets the security weaknesses of static or repetitive secondary authentication methods by promoting features resistant to fraud such as phishing or SIM swapping.

Compliance Obligations: Liability, Data Protection, and Interoperability

The implementation phase of the 2025 Directions imposes specific, high-stakes operational and legal requirements on Payment System Participants.

Strict Issuer Liability and Consumer Compensation

Section 9 of the Directions outlines clear responsibilities and legal accountability for Issuers. An Issuer is fundamentally required to ensure the robustness and integrity of any new authentication mechanism prior to its deployment. Crucially, Section 9(b) establishes a stringent standard of strict liability: 

If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur. This clause creates a powerful financial deterrent against non-compliance, ensuring institutions invest proactively in secure infrastructure, and reinforcing consumer protection.

Mandatory Adherence to Data Protection Law

Issuers are expressly directed to ensure adherence to the provisions of the Digital Personal Data Protection Act, 2023 (DPDP Act, 2023). This mandate is critical as new authentication methods, particularly those leveraging biometrics (something the user is), involve the processing of sensitive personal data. The utilization of advanced authentication methods triggers rigorous legal standards under the DPDP Act, demanding that any processing of personal data must be grounded in explicit, informed, and specific consent from the customer, known as the Data Principal.

Interoperability and Open Access

To foster systemic security improvements and prevent proprietary lock-in, the Directions mandate standards for interoperability and open access. System Providers and Participants must ensure that their authentication and tokenisation services are accessible to all applications and token requestors functioning within the specific operating environment (including device hardware and operating systems). This ensures that security advancements, such as tokenization, are standardized across the ecosystem.

Contextual Security: Risk-Based Mandates and Cross-Border Rules

Risk-Based Authentication and Strategic Notifications

The Directions encourage Issuers to adopt modern security management practices. Issuers are permitted to utilize a risk-based approach to identify transactions requiring enhanced scrutiny. This involves evaluating transactions against advanced behavioral and contextual parameters. 

Based on the calculated risk, Issuers may implement additional checks beyond the mandatory minimum two-factor authentication. The Directions also proactively suggest exploring the use of DigiLocker as a trusted platform for sending notifications and obtaining confirmations for high-risk transactions.

Strategic Exemptions

While establishing a stringent minimum 2FA requirement, the RBI has preserved specific exemptions for efficient operational use cases, as detailed in Annexure-1. These include small-value Contactless Card transactions; subsequent recurring transactions under the e-mandate framework; select Prepaid Instruments such as PPIs for Mass Transit Systems and Gift PPIs; NETC transactions; small value digital payments in offline mode; and travel bookings involving Global Distribution System or IATA through commercial or corporate cards.

Specific Cross-Border Regulations

While the core principles of the 2025 Directions are generally not applicable to cross-border digital payment transactions, the RBI has implemented specific instructions to ensure a similar level of safety for Indian cardholders undertaking online international transactions.

By October 01, 2026, card issuers must establish a mechanism to validate non-recurring, cross-border Card Not Present (CNP) transactions where the overseas merchant or acquirer initiates a request for authentication.

To operationalize this, card issuers are explicitly mandated to register their Bank Identification Numbers (BINs) with card networks. Furthermore, a dedicated risk-based mechanism for handling all cross-border CNP transactions must also be put in place by the same October 01, 2026, deadline.

Conclusion: Strategic Compliance Priorities

The Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, fundamentally redefines the security posture required for digital payments in India. Anchored in the Payment and Settlement Systems (PSS) Act, 2007, these Directions mandate a principle-based adherence to minimum 2FA, Dynamic Factor Authentication, and architectural Robustness. Strategic compliance before the April 01, 2026, deadline requires Payment System 

Participants to prioritize technical redesigns for Dynamic Factor Authentication, rigorous pre-deployment testing to mitigate strict liability exposure, and a concurrent “Privacy by Design” approach to meet the explicit compliance requirements of the Digital Personal Data Protection Act, 2023. These Directions ensure the establishment of a robust, future-proof security standard that encourages technological advancement while maintaining consumer trust.

Explore the key legal implications of RBI’s revised guidelines for digital lending platforms.

agrud partners mumbai logo
Disclaimer

The Bar Council of India Rules expressly prohibit law firms from soliciting work and advertising directly or indirectly. The contents of this website are intended solely for general information and knowledge of the user and are not an offer of legal services or advertising, and neither does accessing the website create an advocate-client relationship. We do not provide legal advice through this website. Publications and thought leadership content published on the website are for informative purposes only. Hyperlinks to third-party websites are only for reference and do not imply endorsement by Agrud Partners. Agrud Partners and its partners/authors assume no liability for the accuracy or reliability of information on third-party websites or for any loss due to reliance on such information. The contents of this website and linked publications are protected under intellectual property laws. Restricted access areas on this website may be subject to additional usage terms.

This website uses cookies to enhance user experience and for website improvement. By using this website, you consent to our use of cookies.

For inquiries regarding our website’s compliance, please contact mumbai@agrudpartners.com

Agree