RBI issues the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025

The Reserve Bank of India (“RBI”) has recently issued the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025 vide notification dated September 25, 2025 (RBI Directions), in order to enable the payments ecosystem to leverage the technological advancements for implementing alternative authentication mechanisms. While the RBI Directions are applicable only to domestic transactions, in order to provide a similar level of safety for online international transactions undertaken using cards issued in India, the directions also incorporate necessary instructions for specific cross-border card transactions, in line with the RBI Statement on Developmental and Regulatory Policies dated February 07, 2025.

The key aspects under the RBI Directions include, inter alia, the following:

1. Key Definitions: The key definitions include, inter alia, the following:

• • • Authentication: Process of validating and confirming the credentials of the customer who is originating the payment instruction.

• • • Factor of Authentication: Credential of the customer which is used for authentication. The factors of authentication can be from “something the user has”, “something the user knows” or “something the user is” and may comprise, inter-alia, password, SMS based OTP, passphrase, PIN, card hardware, software token, fingerprint, or any other form of biometrics (device native or Aadhaar based).

2. Principles for authentication of Digital Payment Transactions 

All digital payment transactions shall be authenticated by at least two distinct factors of authentication as defined in paragraph-5(f) of the RBI Directions, unless exempted. It shall be ensured that for digital payment transactions, other than card present transactions, at least one of the factors of authentication is dynamically created or proven, i.e., the proof of possession of the factor, being sent as part of the transaction, is unique to that transaction. Further, the factor of authentication shall be such that compromise of one factor does not affect reliability of the other.

3. Responsibility of the Issuer 

The issuer shall ensure the following:

• • • Ensure the robustness and integrity of the authentication mechanism before deployment.

• • • If any loss arises out of transactions effected without complying with these directions, the issuer shall compensate the customer for the loss in full without demur.

• • • Issuers shall ensure adherence to the provisions of Digital Personal Data Protection Act, 2023.

For more details, kindly refer to the Directions published by the RBI, made available by clicking on this link.