The newest RBI directions are relevant to cost system suppliers, cost system individuals (banks and non-banks), and all home digital cost transactions. | Picture Credit score: Getty Pictures/Istockphoto
The Reserve Financial institution of India (RBI) has mandated the introduction of further risk-based checks past minimal two-factor authentication by leveraging technological advances to make digital cost transactions much more safe.
RBI issued directions on Thursday (twenty fifth September 2025) of the Reserve Financial institution of India (certification mechanism for digital cost transactions). It would come into impact from April 1, 2025.
These directions apply to all cost system suppliers, cost system individuals (banks and non-banks), and all home digital cost transactions.
Following directions, issuers ought to undertake further risk-based checks primarily based on their fraud threat perceptions of the underlying transaction.
They’re being requested to advertise interoperability and open entry to know-how.
This instruction requires the cardboard issuer to confirm further components (AFAs) of non-existent non-repeated cross-border card (CNP) transactions every time such request is raised by an abroad service provider or acquirer.
At the moment, all digital cost transactions in India are mandatory to satisfy the requirements of two components of authentication. Whereas no particular components are required for authentication, the digital funds ecosystem primarily employs SMS-based one-time passwords (OTPs) as an extra issue.
The directions present broad ideas that each one individuals within the cost chain adhere to, utilizing the type of authentication.
These directions apply solely to home transactions to offer an identical stage of safety for on-line worldwide transactions made utilizing playing cards issued in India, but in addition incorporate directions mandatory for card transactions throughout sure borders.
“For digital cost transactions aside from the cardboard present transaction, we assure that a minimum of one of many authentications is dynamically created or confirmed. That’s, proof of possession of the issue despatched as a part of the transaction is assured to be distinctive to that transaction,” RBI mentioned.
The components for authentication are such {that a} compromise on one issue doesn’t have an effect on the reliability of one other issue.
“System suppliers and system individuals should present authentication or tokenization providers which can be accessible to all functions/token requesters that work within the working surroundings of all use circumstances/channels or token storage mechanisms.”
In step with the interior threat administration coverage, Publishers can establish transactions for analysis of habits/context parameters similar to transaction location, consumer habits patterns, gadget attributes, and historic transaction profiles.
Further checks could be relied on above minimal two-factor authentication primarily based on the perceptual threat related to the transaction. Issuers might additionally think about using Digilocker as a platform for notification and affirmation of high-risk transactions, regulators mentioned.
“The Writer shall make sure the robustness and integrity of the authentication mechanism previous to deployment.”
“If losses come up from transactions made with out complying with these directions, the issuer shall indemnify the shopper for full injury to the loss,” he mentioned.
The Writer ensures that it complies with the provisions of the 2023 Digital Private Information Safety Act.
RBI issued a draft instruction on the choice authentication mechanism for digital cost transactions on July 31, 2024, and a draft instruction on February 7, 2025 concerning the implementation of AFA in cross-border CNP transactions for stakeholder feedback.
These directions have been issued after incorporating public suggestions.
