Your UPI and card payments are changing from April 1

Your UPI and card payments are changing from April 1

India's digital payments ecosystem is gearing up for a major security upgrade as the Reserve Bank of India (RBI) prepares to implement stricter authentication norms from April 1.

The move comes in response to the increasing volume of transactions and growing fraud risks.

The new guidelines will require two-factor authentication (2FA) for all digital transactions, making India's payment system more secure and in line with global standards.

New rules require dynamic 2FA elements

Under the new guidelines, all digital transactions will need 2FA with at least one dynamic element like a one-time password (OTP), biometric verification, or device-based authentication.

This is an improvement over the current OTP-only method which experts say can be easily exploited by phishing and SIM-swap attacks.

The RBI's approach is also less prescriptive, focusing on outcomes rather than specific technologies to allow banks and fintech firms flexibility in implementing these measures.

Experts say framework reduces fraud risk

Industry experts have hailed the RBI's new framework as a timely response to the rapid growth of digital payments and the accompanying rise in fraud risks.

Prakash Ravindran, CEO & director at InstiFi, said this layered authentication will help reduce fraud risks while creating a safer operating environment for merchants.

Amit Kumar, CTO & director at Easebuzz, echoed similar sentiments saying stronger authentication could enhance consumer trust despite adding slight friction to transaction flows.

Banks and payment providers held liable

A key feature of the new rules is increased issuer liability. Banks and payment providers will be held accountable for non-compliance, making strong authentication mandatory rather than optional.

Harsh Vardhan Masta, Head of Payments at Policybazaar, said this shift would force institutions to adopt stricter transaction processing standards while ensuring quicker compensation in fraud cases.

For small and medium businesses, these changes are expected to reduce risks related to disputes, financial losses, and reputational damage.

Firms to adopt risk based authentication

While stronger authentication improves safety, it can also add friction to the payment process.

To address this, companies are expected to adopt risk-based authentication where the level of verification depends on factors like transaction value, user behavior, and device details.

This way low-risk transactions may remain quick and seamless while high-risk ones undergo additional checks.

The RBI's new framework represents a shift from rigid rule-based compliance to principle-driven regulation promoting innovation while establishing a strong baseline for payment security.