Overview
- All domestic digital payments must use two distinct factors with at least one dynamic, transaction‑unique factor starting April 1, 2026.
- Issuers may apply additional risk‑based checks using contextual signals, with DigiLocker suggested for confirming high‑risk transactions.
- SMS-based OTP remains permitted as an authentication factor, though the framework encourages broader, interoperable methods such as biometrics and tokens.
- For non‑recurring cross‑border card‑not‑present payments, card issuers must validate an additional factor upon request by overseas merchants or acquirers by October 1, 2026.
- All payment system providers must comply by the deadlines, and issuers must fully compensate customers for losses stemming from non‑compliant transactions.