RBI: The Reserve Bank of India (RBI) has taken a major step towards further strengthening the security of digital payments in the country. The bank has issued new guidelines on digital payments, under which two-factor authentication (two-step verification) will be mandatory for all digital transactions from April 1, 2026.
What is the new rule?
According to the new rule, to complete any digital transaction, a user will be required to go through two security steps. These will include passwords, PINs, SMS-based one-time passwords (OTPs), card hardware, software tokens, and biometric methods such as fingerprints. The RBI has also added an important condition that one of these two factors must be “dynamic,” meaning it will only be valid for that specific transaction, such as an OTP.
Major relief for customers: Full compensation for fraud
The RBI has made a significant decision to protect customer interests. The new guidelines clarify that if a customer is defrauded due to negligence on the part of a bank or payment service provider, it will be the bank’s or that company’s responsibility to provide full compensation to the customer. This will significantly protect customers.
Systems will be more secure
The RBI has also outlined other measures to further secure the payment process. These include additional security checks based on customer behavior, the device being used, or the location. Emphasis has been placed on making services like authentication and tokenization interoperable and open access, so that they function consistently across all apps and platforms.
Which transactions will not be subject to the new rules?
While the new rules will apply to most digital payments, the RBI has also provided exemptions for certain specific cases. These include:
Small-value contactless card payments.
Payments made under e-mandate (auto-debit) (although the first payment will be covered).
Gift cards and other prepaid payment instruments.
Payments at National Electronic Toll Collection (NETC) toll plazas.
Small-value offline digital payments.
Travel bookings made with corporate or commercial cards through GDS/IATA.
The rule will also apply to international transactions.
The RBI has also announced that from October 1, 2026, card issuers will be required to implement two-factor authentication for select international online transactions, ensuring security for payments made on foreign websites.