The Reserve Bank of India (RBI) has issued a draft on “Framework on Alternative Authentication Mechanisms for Digital Payment Transactions” to enhance the security of digital payments. The focus is on using an Additional Factor of Authentication (AFA) for making payments. While there are no specific criteria mandated for authentication, the digital payments ecosystem has mainly been using SMS-based One-Time Passwords (OTP) as the AFA. Although OTPs have been effective, new technologies now offer alternative ways to authenticate payments.
The draft outlines three main categories of authentication factors:
- Something the user knows: like a password, passphrase, or PIN.
- Something the user has: such as a card, hardware, or software token.
- Something the user is: like a fingerprint or other biometrics.
All digital payment transactions will need an AFA unless otherwise specified in the framework. Issuers, such as banks and non-banks, should use a risk-based approach to determine the appropriate AFA for a transaction, considering factors like transaction value, origination channel, and customer risk profiles. They must also have a system to notify customers of eligible transactions almost instantly.
Some transactions are exempt from customer authentication:
- Small value contactless card payments: Transactions up to Rs 5000/- at Point of Sale (PoS) terminals.
- E-mandates for recurring transactions: For subscriptions to mutual funds, insurance premium payments, and credit card bill payments up to Rs 1,00,000, and for other categories up to Rs 15,000/-.
- Utility payments through select Prepaid Instruments / NETC: This includes Prepaid Instruments issued under PPI – Mass Transit Service and Gift PPIs, and transactions in the National Electronic Toll Collection (NETC) System.
- Small value digital payments in offline mode: Offline payment transactions up to Rs 500/-.
These new rules aim to make digital payments more secure while leveraging technological advancements for better authentication methods.