In a move to bolster the security of digital transactions, the Reserve Bank of India (RBI) has proposed new guidelines requiring additional authentication factors for digital payments. The draft guidelines, announced Wednesday, mandate that all digital payment transactions, excluding specific exemptions, must incorporate a dynamically created factor of authentication.
“All digital payment transactions shall be authenticated with an additional factor(s) of authentication (AFA), unless exempted otherwise in this framework,” said the RBI.
The RBI’s guidelines stipulate that, in addition to the current SMS-based one-time password (OTP), a dynamic authentication factor must be used. This factor, generated during the transaction and unique to each payment, is time-sensitive and cannot be reused. The central bank aims to reduce fraud by ensuring that authentication factors are only known to the genuine user.
These measures will enhance security and prevent fraud, addressing issues where customers have been deceived into sharing OTPs, experts said.
The new framework
The new framework will be applicable to all digital transactions except for card-present transactions, small value contactless payments up to Rs 5,000, e-mandates for recurring payments, and small value offline digital transactions. Payment system providers and participants, including banks and non-banks, will be required to comply with these guidelines within three months of their issuance.
Under the proposed guidelines, all digital payment transactions—except for card-present transactions—must include a dynamically created authentication factor. This factor, generated at the time of payment and specific to each transaction, cannot be reused. The framework specifies that authentication factors may include:
Something the user knows (e.g., password, passphrase, PIN),
Something the user has (e.g., card hardware or software token),
Something the user is (e.g., fingerprint or other biometric data).
The RBI allows issuers to adopt a risk-based approach to determine the appropriate authentication factor, considering factors such as customer risk profile, transaction value, and origination channel. Issuers must also obtain explicit customer consent before implementing any new authentication methods and provide a means for customers to deregister from these methods if desired.
Certain transactions will be exempt from the additional factor of authentication requirement, including:
Small value card-present transactions up to Rs 5,000 at Point of Sale (PoS) terminals,
Transactions related to mutual fund subscriptions, insurance premiums, and credit card bill payments, up to Rs 1 lakh, and other categories up to Rs 15,000,
Utility payments through select Prepaid Instruments/NETC,
Small value digital payments up to Rs 5,000 in offline mode.
Additionally, the RBI has mandated that issuers alert customers in near real time about eligible digital payment transactions, further safeguarding against unauthorised access.
