Overview

• Most provisions take effect on April 1, 2026, with specified cross‑border requirements slated for October 1, 2026.
• Every digital payment must use at least two distinct authentication factors, with one factor dynamically tied to the specific transaction.
• Issuers and providers may layer additional risk‑based checks using behavioral, device, location, and other contextual signals for higher‑risk activity.
• Card issuers must validate an additional factor for non‑recurring cross‑border card‑not‑present transactions when requested by overseas merchants or acquirers by October 1, 2026.
• SMS OTP remains an allowed factor as the framework encourages adoption of biometrics, software tokens, and interoperable technologies.