Bankpulse
HomeLatestCo-pilotRankingsCrosswalkHistoryDashboardsMethodologyGlossaryCircularsAskChangelogReviewsAbout
HomeCirculars › RBI/2025-26/79

RBI's New Authentication Rules for Digital Payments

Live · in forceNo withdrawal recorded as of 19 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
Quick answerRBI has issued new directions for digital payment authentication, effective April 1, 2026. The rules mandate two-factor authentication but allow alternative mechanisms beyond SMS OTP. They apply to all domestic digital transactions and include specific provisions for cross-border card transactions.

What changed

RBI has replaced the existing SMS OTP-centric authentication framework with a principles-based approach, allowing alternative authentication mechanisms like biometrics or software tokens. The new directions, issued under the PSS Act, 2007, also introduce specific rules for cross-border card-not-present transactions. Compliance is mandatory by April 1, 2026.

What it means for you

Banks and payment system participants can now adopt diverse authentication methods beyond SMS OTP, potentially improving user experience and security. The risk-based approach allows issuers to tailor authentication based on transaction risk. For cross-border CNP transactions, similar safety standards apply, which may reduce fraud but require system upgrades.

What you must do

Who it affects

All banks issuing payment instruments, Non-bank payment system providers and participants, Card issuers and acquirers handling cross-border transactions, Digital payment ecosystem participants

What is the effective date for these new authentication directions?

All payment system providers and participants must comply by April 1, 2026, unless a specific provision states otherwise.

Do these directions apply to cross-border transactions?

Yes, for online international card transactions where the card is issued in India and the merchant is acquired overseas, specific instructions are included to ensure similar safety levels.

Can we still use SMS OTP for authentication?

Yes, SMS OTP remains a valid factor, but the directions encourage adoption of alternative mechanisms like biometrics or software tokens, as long as two-factor authentication is maintained.

Track this rule
⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
Official source: RBI/2025-26/79 on rbi.org.in ↗
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · published · 19 Jun 2026, 04:10 IST