All posts
Regulatory News
6 min

RBI’s Authentication Update: Why Cross-Border Payments Must Evolve

Written by
Toby Rush
Published on
November 26, 2025
Copy link

TLDR

The Reserve Bank of India’s new “Authentication Mechanisms for Digital Payment Transactions Directions, 2025” require all digital payments in India to use two-factor authentication with at least one dynamic factor by April 1, 2026. For cross-border card-not-present (CNP) transactions where the card is issued in India and used overseas, issuers must implement a validation mechanism for non-recurring cross-border CNP flows by October 1, 2026. These rules affect issuers, payment gateways, merchants and acquirers connected to Indian cards in international flows. For product and growth teams this means device binding, passkeys, robust device-native credentials and risk-based checks are not optional add-ons but strategic enablers of higher approval rates, lower fraud and improved checkout conversion. Ideem’s Zero-Trust Secure Module (ZSM) and Passkeys+ help institutions transition seamlessly to device-bound passkeys and modern authentication without sacrificing user experience.

The regulatory shift and why it matters

The Reserve Bank of India issued its “Authentication Mechanisms for Digital Payment Transactions Directions, 2025” on September 25, 2025. Key mandates include:

  • All digital payment transactions must be authenticated with at least two distinct factors.

  • For non-card-present transactions, at least one factor must be dynamic — unique to each transaction.

  • For cross-border CNP transactions (card issued in India, overseas merchant or acquirer), issuers must implement a validation mechanism by October 1, 2026.

  • For domestic flows the effective date is April 1, 2026 unless otherwise specified.

Cross-border transactions typically carry higher risk and friction. For Indian-issued cards used internationally, the risk landscape includes foreign merchant chains, variable device environments, and inconsistent authentication experiences. With the new RBI directions, issuers and gateways must upgrade authentication infrastructure or risk regulatory non-compliance, fraud exposure and lost conversions.

Checkout friction, cart abandonment and conversion advantage

Checkout conversion is one of the most fragile points in a digital transaction. When authentication adds friction, abandonment rises — and this risk is amplified in cross-border CNP transactions.
Common drivers include:

  • increased fraud scrutiny by issuers or networks

  • higher decline rates due to mismatched device, location or currency

  • OTP failures when sent to foreign numbers

  • user hesitation at unfamiliar overseas merchant sites

Replacing legacy OTP-based authentication with device-bound credentials and passkeys solves many of these problems. Device binding ensures the “something you have” factor is secure and reusable. Passkeys add the “something you are” factor — biometric or cryptographic. Together, they create a dynamic factor that satisfies regulation and enhances experience.

Ideem’s ZSM and Passkeys+ combine deterministic device identity with app-level credential binding, allowing users to complete transactions smoothly without leaving the app. This approach not only meets regulatory standards but reduces friction and increases approval rates. Authentication readiness becomes a competitive differentiator rather than a compliance burden.

Authentication readiness: practical advice for regional and global flows

1. Map the flows and identify cross-border CNP exposure
  • Identify Indian-issued cards used with foreign acquirers or merchants.

  • Flag non-recurring transactions, which are directly covered under the RBI’s cross-border requirement.

  • Review device and location attributes — cross-border users often operate in environments with varied risk levels.

2. Upgrade authentication stack for device binding and passkeys
  • Replace or augment SMS OTP with device-bound credentials and passkeys for dynamic, transaction-specific authentication.

  • Use deterministic device identifiers instead of probabilistic fingerprinting to securely bind devices. Ideem’s ZSM supports this approach, helping institutions transition seamlessly to a more reliable authentication model.

  • Embed native biometric or platform passkeys directly within the mobile or web application for a faster, trusted experience.

3. Implement risk-based authentication for cross-border flows
  • Use contextual parameters such as location, device attributes and behavioral patterns to determine risk.

  • Apply step-up authentication for high-risk scenarios like new devices or large-value overseas transactions.

  • Keep detailed records of authentication events to demonstrate regulatory compliance and support fraud analysis.

4. Design user experience to minimize drop-off
  • Integrate authentication directly into the app or checkout page, avoiding redirects or external OTP prompts.

  • Clearly communicate why the extra step exists, especially in foreign transactions, to build trust.

  • Offer fallback options for new or unregistered devices to avoid failed transactions while maintaining strong security.

  • Track and optimize metrics such as decline rate, authentication success and abandonment rate before and after implementing device-bound passkeys.

5. Prepare for registration and compliance
  • Register relevant Bank Identification Numbers (BINs) with card networks as required.

  • Ensure compliance with India’s Digital Personal Data Protection Act 2023 and related privacy laws.

  • Develop a clear rollout roadmap: domestic compliance by April 2026 and cross-border CNP compliance by October 2026.

Looking ahead: authentication readiness as a competitive edge

India’s growing role in regional and global payments — from travel and remittances to e-commerce and BNPL — depends on trusted, frictionless authentication. The RBI’s deadlines for dynamic, two-factor validation are not just about meeting a rule. They are about preparing infrastructure for a cross-border economy that demands both compliance and conversion efficiency.

Institutions that adopt device-bound passkeys and deterministic identity early will not only comply but lead. Payment providers can market stronger trust credentials to merchants and improve global acceptance. Merchants gain higher checkout success and fewer disputes. Consumers experience smoother, safer payments.

Ideem’s ZSM and Passkeys+ give financial institutions a path to readiness and advantage — combining zero-trust architecture with seamless user experience. Those who act now will be positioned ahead of competitors once the October 2026 deadline arrives.

Conclusion

The RBI’s authentication directions redefine what secure and convenient payments look like. For issuers, gateways and merchants, cross-border transactions will soon require more than compliance checkboxes — they will require infrastructure capable of strong, dynamic and user-friendly authentication. Device-bound passkeys and robust device binding are at the center of this transformation. Ideem’s Zero-Trust Secure Module and Passkeys+ provide the tools to meet regulatory expectations and unlock higher conversion in the same step.

Sources

  1. Reserve Bank of India – Authentication Mechanisms for Digital Payment Transactions Directions 2025
    https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12898

  2. The Economic Times – RBI issues directions for digital payment transaction authentication mechanism
    https://economictimes.indiatimes.com/wealth/save/rbi-issues-directions-for-digital-payment-transaction-authentication-mechanism/articleshow/124115819.cms

  3. Hindustan Times – RBI to implement new payment authentication rules beyond SMS OTP from April 2026
    https://www.hindustantimes.com/business/rbi-to-implement-new-payment-authentication-rules-beyond-sms-otp-from-april-2026-know-full-details-101758861127882.html

  4. AffairsCloud – RBI issues Digital Payment Authentication Directions from April 1 2026
    https://affairscloud.com/rbi-issues-digital-payment-authentication-directions-from-april-1-2026/

  5. TaxGuru – RBI issues rules on Digital Payment Authentication
    https://taxguru.in/rbi/rbi-issues-rules-digital-payment-authentication.html

LexFavios – RBI sets new digital payment authentication norms for 2026 https://lexfavios.com/info/assets/uploads/updates/RBI_Sets_New_Digital_Payment_Authentication_Norms_for_2026.pdf

Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.