The Reserve Bank of India (RBI) has released a draft framework aimed at bolstering the security of digital payments across the country. The proposed guidelines mandate an additional factor of authentication (AFA) for all digital payment transactions, with certain exceptions. This move is part of the RBI’s ongoing efforts to enhance the security and integrity of digital financial transactions in the face of evolving technological advancements.
Under the new draft framework, all digital payment transactions, except small value contactless card payments up to Rs 5,000 at point-of-sale (POS) terminals, e-mandates for recurring transactions, and small value digital payments through offline mode, must include an AFA. Notably, the framework specifies that for all non-card present transactions, one of the authentication factors must be dynamically created, meaning it is generated post-payment initiation and is specific to the transaction, ensuring it cannot be reused. Card present transactions, which involve physical card usage, are excluded from this requirement.
The RBI’s draft framework stipulates that the two factors of authentication required must belong to different categories. This is part of the central bank’s broader strategy to implement more secure and varied methods of verifying payment instructions, moving beyond the commonly used SMS-based One-Time Password (OTP) system.
This initiative follows the RBI’s February announcement, which highlighted the emergence of alternative authentication mechanisms due to technological innovations. The draft framework proposes a principle-based approach to authentication, allowing issuers—both banks and non-banks—to adopt a risk-based methodology in choosing the appropriate AFA. This decision can be influenced by factors such as the customer’s risk profile, the value of the transaction, and the channel through which it originates.
The draft also emphasizes that issuers must provide real-time alerts to customers for all eligible digital payment transactions. Furthermore, issuers are prohibited from entering into exclusivity agreements with payment or technology service providers, ensuring a broader and more inclusive adoption of alternative authentication solutions.
For transactions involving tokenized cards on various devices, issuers are required to ensure that the device environment supports tokenization on a non-exclusive basis, thereby promoting interoperability and consumer choice.
The RBI’s draft framework aims to set a higher standard for digital payment security in India, aligning with global best practices. The central bank has invited feedback from stakeholders on the draft guidelines, which are expected to play a crucial role in shaping the future landscape of digital payments in India.
