What happened?
The Reserve Bank of India issued new rules on Sept 25, 2025 requiring at least one dynamic authentication factor for all domestic digital payments (excluding card-present) and set an April 1, 2026 compliance deadline. The directions require transaction-unique credentials, tokenization interoperability, and extend stricter checks to cross-border card‑not‑present transactions with additional rules from October 1, 2026. Issuers must ensure systems comply with the Digital Personal Data Protection Act and will have to compensate customers for losses arising from non-compliance.
Who does this affect?
Banks, card issuers, non-bank payment providers, fintechs, wallet apps and merchants who process digital payments all need to upgrade authentication and tokenization systems. Consumers will face stronger and sometimes extra verification steps but get better protection and guaranteed compensation if banks fail to comply. Cross-border payment services, card networks and crypto-related payment rails are also impacted by the new card‑not‑present checks, BIN registration and anti‑fraud measures.
Why does this matter?
In the short term the rules raise compliance and tech costs and are likely to favor larger players that can absorb implementation work, possibly slowing some product rollouts. Over time, standardized dynamic authentication and mandatory compensation should cut fraud, boost consumer confidence and support growth in digital transactions and merchant acceptance. The crackdown also shifts fraud dynamics — reducing some illicit crypto and hawala flows — and will reshape competition across banks, fintechs and exchanges as regulators tighten oversight.