From April 1, 2026, digital payments in India will become more secure under new rules introduced by the Reserve Bank of India, which mandate two-factor authentication (2FA) for all online transactions.
Under the revised system, OTP alone will no longer be sufficient. Users will have to complete at least two layers of verification—such as a PIN, password, biometric authentication or token—along with OTP while making payments through UPI, debit and credit cards, and mobile wallets.
The move comes amid rising cases of online fraud, including phishing and SIM swap scams, where OTP-based systems have proven vulnerable.
By adding an extra layer of security, the RBI aims to reduce unauthorised transactions and strengthen trust in digital payments.
For users, transactions may take slightly longer, especially on new devices or for high-value payments. However, payments on trusted devices are expected to remain relatively smooth. The system will also follow a risk-based approach, with security checks varying depending on the nature of the transaction. The new norms also increase accountability for banks and payment platforms. In case of fraud due to system failures, financial institutions may be required to compensate customers, ensuring faster grievance redressal.
The RBI has indicated that similar rules will extend to international transactions, including cross-border card payments, with full implementation expected by October 2026.
