The Reserve Bank of India said the new framework, effective April 1, 2026, allows issuers to adopt additional risk-based checks beyond the mandatory two-factor authentication, depending on a transaction’s fraud risk.

The directions promote the use of emerging technologies for authentication without phasing out SMS-based one-time passwords.

They also mandate that card issuers validate additional authentication for non-recurring, cross-border, card-not-present transactions when requested by overseas merchants or acquirers.

The RBI, which released draft guidelines in July 2024 and February 2025, said public feedback has been incorporated into the final version.