The Reserve Bank of India (RBI) on Wednesday issued a draft framework for alternative authentication mechanism for digital payments, wherein it has mandated that all digital payment transactions would have to be authenticated with an additional factor of authentication (AFA), except small value contactless card payments for up to Rs 5,000 at point of sale terminals, e-mandates for recurring transactions, and small value digital payments through offline mode, among others.
Additionally, it has said that all digital payment transactions, other than card present transactions, have to ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment; is specific to the transaction; and cannot be reused.
Card present transactions are carried out through the physical use of a card at the point of transaction.
Further, the first factor of authentication and the AFA would have to be from different categories, the RBI has stated.
AFA essentially means use of more than one factor for authentication of a payment instruction.
Currently, the digital payments ecosystem uses SMS-based OTP as AFA.
Back in February, the RBI had stated that alternative authentication mechanisms have emerged in recent years with innovations in technology.
This has prompted the need to adopt a principle-based framework for authentication of digital payment transactions.
In the draft framework, the RBI has said that issuers - banks and non-banks - can adopt a risk-based approach in deciding the appropriate AFA for a transaction, based on the risk profile of the customer and/or beneficiary, transaction value, channel of origination, etc.
Furthermore, the draft framework mandates the issuers to alert customers, in real time, for all eligible digital payment transactions.
Additionally, the framework has guided that the issuers cannot enter into any exclusivity arrangement with any payment service provider/technology service provider, which could limit its ability to deploy alternative authentication solutions.
Also, for transactions involving tokenised cards on various devices in line with RBI directions, the issuer has to ensure that the device environment supports tokenisation on a non-exclusive basis.
All Payment System Providers and Payment System Participants (banks and non-banks) shall ensure compliance with this framework within three months from the date of issue of these directions, the RBI said.