Outlook Business Desk
From April 1, 2026, all digital payments in India will require two-factor authentication with customers able to use passwords PINs OTPs tokens or biometrics as per RBI guidelines to strengthen and unify security across all payment systems.
Every digital transaction requires at least two authentication factors. One factor must be dynamic, unique for each payment. Issuers are liable for fraud caused by non-compliance and cross-border transactions require authentication by October 1, 2026.
With digital payments surging due to UPI, wallets and fintechs, fraud and phishing incidents have increased. RBI now shifts focus from reactive fraud handling to proactive prevention, ensuring safer payment systems for consumers.
RBI moves beyond OTP dependence, recognising passwords, biometrics, device verification and tokens. This technology-neutral approach allows banks and fintechs flexibility while ensuring security outcomes, promoting innovation without waiting for approvals.
At least one authentication factor must be dynamically generated per transaction, like OTP plus PIN or biometric verification. This prevents reuse of compromised credentials, adding a real-time security layer to reduce fraud significantly.
Banks or fintechs are required to compensate customers for fraud caused by non-compliance. This places security responsibility on institutions, encouraging them to strengthen systems, monitor transactions and ensure compliance across all digital payment channels.
RBI allows risk-based authentication, with low-value trusted-device transactions needing minimal checks and high-value or unusual payments triggering extra verification. This balances security with user experience and protects customers without added friction.
From 1 October 2026, international card transactions will require authentication. This move closes cross-border security gaps, reduces fraud risk, and aligns India with global payment standards for consistent security practices.
Banks must implement two-factor authentication (2FA) while keeping the process fast and seamless. By using biometrics, passkeys and device binding, institutions can build trust, reduce fraud and ensure a convenient customer experience.