India Mandates Stricter Digital Payment Security
The Reserve Bank of India has issued new guidelines for digital payments, effective April 1, to combat a rise in cyberfraud. The new rules mandate dynamic two-factor authentication and promote the use of biometrics over traditional one-time passwords (OTPs). This regulatory move follows data showing cyberfraud accounted for 46.5% of all cybercrimes in 2023.
- This mandate is an evolution of the Reserve Bank of India's (RBI) earlier card-on-file (CoF) tokenization policy, which took full effect on October 1, 2022, and prohibited merchants from storing customer card details. Since December 2021, Mastercard, in partnership with banks and payment aggregators, has created over 90 million tokens, demonstrating industry-wide shifts in data security practices. - The new rules are part of the RBI's broader "Payments Vision 2025," a strategic plan focused on the principles of Integrity, Inclusion, Innovation, Institutionalisation, and Internationalisation. The vision aims to achieve a threefold increase in the volume of digital payments. - A key feature of the new framework is the move toward risk-based authentication, allowing payment providers to use contextual data like device reputation, IP geolocation, and transaction history to determine the required level of verification. This shifts the industry away from a uniform, one-size-fits-all security approach. - The regulations explicitly encourage the use of alternatives to SMS-based OTPs, which are vulnerable to SIM swapping and phishing attacks. Approved authentication factors include hardware/software tokens, PINs, and various forms of biometrics. - While the number of card and internet fraud cases reported by banks (for amounts of ₹1 lakh or more) declined from 29,082 in FY24 to 13,516 in FY25, the total amount involved in banking fraud surged by over 200% in the same period, driven by high-value loan fraud. - To further combat fraud, the RBI is implementing a "Mule Hunter" system, now functional in 26 banks, which uses 19 different parameters to track post-transaction activity and identify fraudulent accounts. - Alongside the new security rules, the RBI is also introducing a framework to compensate victims of small-value fraudulent transactions for up to ₹25,000. This is a one-time benefit designed to provide relief to a large number of consumers, as 65% of fraud cases involve sums under ₹50,000. - All payment system providers and participants, including banks and non-bank entities, must ensure full compliance with the new authentication directions by the April 1, 2026 deadline.
