Story Content

The Indian digital payments environment will have an enormous upgrade in security as early as April 1, 2026, under the signature of the directors of the RBI of the Authentication Mechanisms of Digital Payment Transactions issued in September 2025. The main difference: the two-factor authentication (2FA) should be applied to all the digital acts in the country, and one of the factors should be dynamic and individual to each transaction (that is, just simple and static passwords or simple OTPs will not meet the criteria). Although SMS-based OTPs will still be permitted, they will not take the first place; banks and payment services will need to focus on the more sophisticated features, such as biometrics, device binding, codes generated in the application, or behavioral classification. To mitigate fraud, issuers can provide risk-based verification (e.g., checking location, device, or transactional patterns, etc.) to high-risk payments and provide an additional layer of checks without interrupting customer experience. This is applicable to banks, non-banking institutions, issuers of cards, and participants of the payment system. There are stiffer regulations that apply to cross-border card-not-present transactions, which come into effect in October 2026. The goal? Better security against unauthorized use coupled with the promotion of innovative secure authentication. Users will experience less humpy, risk-free UPI, card, or wallet performances after the date.