The Reserve Bank of India (“RBI”) in exercise of powers conferred under Section 18 read with Section 10(2) of the Payment and Settlement Systems (PSS) Act, 2007, vide Circular No. RBI/2025-26/79,[1] dated September 25, 2025, has issued the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, outlining the permitted authentication mechanisms for domestic digital payment transactions (“Directions”). The Directions shall come into effect from April 01, 2026.
While the two-factor authentication (2FA) requirement continues, through these Directions, RBI now permits technology-neutral alternatives to OTP-based methods, allowing banks and payment system participants (PSPs) to adopt innovative, secure authentication models beyond traditional SMS OTPs.
These Directions shall apply to all payment system providers and participants, including banks and non-bank entities, and are aimed at enhancing security, user experience, and adaptability to technological advances. Specific provisions also cover cross-border card transactions, ensuring consistent security standards for Indian cardholders transacting internationally.
[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12898&Mode=0