Overview
- India’s new authentication framework, which began Wednesday, requires two independent checks for every domestic digital payment with at least one dynamic element, so a one-time password alone no longer clears a transaction.
- Providers will use risk-based checks that keep small, routine payments on trusted devices quick while large or unusual transactions from new devices trigger extra verification such as biometrics or in‑app confirmation.
- UPI operations now face NPCI guardrails with daily caps on balance inquiries and account linking plus spaced-out status checks for pending payments, and recurring auto-debits moving to off-peak hours.
- PAN compliance has tightened as applications now need additional proof of birth and new credit cards require a PAN, while UPI cash withdrawals at ATMs now count toward monthly free limits with a Rs 23 fee after the cap.
- Similar two-factor rules will cover international card-not-present payments by October 1, 2026, extending stronger protections to cross-border online purchases.