The Reserve Bank of India (RBI) has proposed a new framework mandating additional factor authentication (AFA) for all digital payment transactions, with some exceptions. This move aims to enhance the security of digital payments while allowing for alternative authentication methods beyond the commonly used SMS-based one-time passwords (OTPs).
The draft “Framework on Alternative Authentication Mechanisms for Digital Payment Transactions” outlines broad principles for payment system providers and participants to follow when implementing various forms of authentication. The RBI emphasizes that while OTPs have been working satisfactorily, technological advancements have made alternative authentication mechanisms available.
Under the proposed framework, all-digital payment transactions, except for card-present transactions, must ensure that one of the authentication factors is dynamically created after payment initiation, specific to the transaction, and non-reusable.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
The RBI categorizes authentication factors into three broad categories: something the user knows (e.g., password, PIN), something the user has (e.g., card, software token), and something the user is (e.g., fingerprint, biometrics).
The framework allows issuers to adopt a risk-based approach in deciding the appropriate AFA, considering factors such as customer risk profile, transaction value, and channel of origin.
However, certain transactions will be exempt from customer authentication, including small-value contactless card payments up to ₹5,000 at point-of-sale terminals, e-mandates for recurring transactions like mutual fund subscriptions and insurance premium payments, and offline payment transactions up to ₹500.
The RBI has set a deadline of September 15, 2024, for stakeholders to provide comments and feedback on the draft framework. Once finalized, all payment system providers and participants will have three months to ensure compliance with the new guidelines.
This initiative is part of the RBI’s ongoing efforts to strengthen the security of digital payments in India, as the country continues to see a rise in both digital transactions and associated fraud.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access