Overview

• All domestic digital payments must use at least two distinct authentication factors, with at least one factor dynamic and unique to each transaction.
• Issuers may apply additional risk-based layers using behavioral patterns, location, and other contextual signals to decide when extra checks are needed.
• Card issuers are required to validate an additional factor for non-recurring cross-border card-not-present transactions when requested by overseas merchants or acquirers.
• SMS one-time passwords remain permitted as an authentication factor while the framework encourages interoperable, next-generation technologies.
• Issuers are liable to compensate customers for losses stemming from non-compliance, and the directions align with the Digital Personal Data Protection Act, 2023.