Digital payments security: RBI mandates two-factor authentication; new norms kick in from April 2026

“All payment system providers and payment system participants, including banks and non-bank entities, shall ensure compliance with these directions by April 01, 2026, unless indicated otherwise for any specific provision herein,” the RBI said in a statement, ANI quoted.

At present, most digital payments rely on SMS-based One Time Passwords (OTPs) as the second layer of authentication.

Under the new rules, all transactions will require at least two distinct factors of authentication, with one being dynamic — unique to each transaction — to prevent fraud and unauthorised access.The directions apply to all domestic digital payments, while card-not-present cross-border transactions will come under an additional layer of security.

For such international transactions, card issuers must implement mechanisms by October 1, 2026, to validate payments where the card is not physically present, providing added protection for Indian consumers shopping globally.The RBI framework emphasises robustness, interoperability and a risk-based approach.

Issuers have been encouraged to evaluate transactions using behavioural data, location and other contextual markers to decide if additional authentication is needed.

The flexible, layered model, the central bank said, seeks to balance user convenience with stronger safeguards.Importantly, issuers will bear full responsibility for compensating customers in cases where non-compliance leads to financial losses.

The directions are also aligned with the Digital Personal Data Protection Act, 2023, reinforcing data privacy as an integral part of payment security.By mandating these new measures, the RBI said India’s digital payments ecosystem is being guided towards a safer, more resilient future, building trust and confidence among millions of users across the country.