RBI’s Draft Widens Choice Of Authentication Factors For PSOs, Users

Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions

FinTech BizNews Service

Mumbai, July 31, 2024: Over the years, the Reserve Bank of India has prioritised security of digital payments, in particular the requirement of Additional Factor of Authentication (AFA) for making payments. No specific factor was mandated for authentication, but the digital payments ecosystem has primarily adopted SMS-based OTP as AFA. While OTP is working satisfactorily, technological advancements have made available alternative authentication mechanisms.

Therefore, as announced in the Statement on Developmental and Regulatory Policies dated February 08, 2024, RBI has today released a draft “Framework on Alternative Authentication Mechanisms for Digital Payment Transactions” to enable the ecosystem to adopt alternative authentication mechanisms. This will widen the choice of authentication factors available to Payment System Operators and users.

Comments / feedback on the draft framework may be sent by email or by post to the Chief General Manager-in-Charge, Department of Payment and Settlement Systems, Reserve Bank of India, Central Office, 14th Floor, Shahid Bhagat Singh Marg, Mumbai-400001, on or before September 15, 2024.

All Payment System Providers and Payment System Participants (banks and non-banks) shall ensure compliance with this framework within three months from the date of issue of these directions. These directions are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems (PSS) Act, 2007 (Act 51 of 2007).

Framework on Alternative Authentication Mechanisms for Digital Payment Transactions - DRAFT

1. Applicability

The framework applies to all Payment System Providers and Payment System Participants, as defined in Payment and Settlement Systems (PSS) Act, 2007.

2. Definitions:

In this framework, unless the context otherwise requires, the terms herein shall bear the meanings assigned to them below —

a. Additional Factor of Authentication (AFA): Use of more than one factor for authentication of a payment instruction1.

b. Authentication: Process of validating and confirming the credentials of the customer who is originating the payment instruction.

c. Card Present transaction: A transaction that is carried out through the physical use of card at the point of transaction. It is also known as a face-to-face or proximity payment transaction.

d. Digital Payment Transaction shall have the same meaning as “Electronic Funds Transfer” as defined in the Payment and Settlement Systems Act, 2007.

e. Factor of Authentication: Any credential input by the customer which is verified for the purpose of confirming the originator of a payment instruction. The factors of authentication are broadly categorised as below:

1. Something the user knows (such as password, passphrase, PIN)
2. Something the user has (such as card hardware or software token)
3. Something the user is (such as fingerprint or any other form of biometrics)

f. Issuer: Bank / non-bank where the customer’s account (deposit account / credit line or PPI balance) is maintained. Issuers verify user credentials and provide confirmation of debit to the account on receipt of payment instruction.

g. Technology Service Provider (TSP): Provider of technology infrastructure adopted by the Issuer for implementing the authentication process. In addition to software-based solution providers, this will include device manufacturers and hardware solution providers who provide such technology.

h. Token Service Provider: An entity which tokenises the card credentials and de-tokenises them, whenever required. It includes card networks and card issuers.

3. Principles for authentication of Digital Payment Transactions:

The technology and process deployed for authenticating a payment instruction by the Payment System Provider / Payment System Participant(s)2 shall comply with the following principles:

a. Mandatory additional factor of authentication:

All digital payment transactions shall be authenticated with an additional factor(s) of authentication (AFA), unless exempted otherwise in this framework.

b. Dynamically created:

All digital payment transactions, other than card present transactions, shall ensure that one of the factors of authentication is dynamically created, i.e., the factor is generated after initiation of payment, is specific to the transaction and cannot be reused.

c. Robust:

The first factor of authentication and the AFA shall be from different categories, as defined in para 2(e) of this framework.

d. Risk based approach to authentication:

Issuers may adopt a risk-based approach in deciding the appropriate AFA for a transaction, based on the risk profile of the customer and / or beneficiary, transaction value, channel of origination, etc.

e. Transaction Alerts:

Issuers shall have a system of alerting the customer in near real time for all eligible3 digital payment transactions.

f. Customer consent:

Issuers shall obtain explicit consent before enabling any new4 factor of authentication for the customer. The customer shall also be provided a facility to deregister from using the new factor of authentication.

g. Responsibility of the issuer:

1. Issuer shall ensure the robustness and integrity of the process or technology of the authentication factor before deploying the same.
2. Issuer shall be liable for the process and technology deployed for authenticating a digital payment transaction.

h. Third-party arrangements:

1. Issuer shall not enter into any exclusivity arrangement with any Payment Service Provider / Technology Service Provider - which could limit its ability to deploy alternative authentication solutions.
2. For transactions involving tokenised cards on various devices in line with RBI directions on “Tokenisation – Card Transactions” dated January 8, 2019, as amended from time to time, Issuer / Token Service Provider shall ensure that the device environment supports tokenisation on a non-exclusive basis.

4. Exemptions from customer authentication:

The following are exempted from the AFA requirement:

a. Small value contactless card payments:

Small value card present transactions for values upto Rs5000/- per transaction in contactless mode at Point of Sale (PoS) terminals. (Reference: DPSS.CO.PD.No.2163/02.14.003/2014-2015 dated May 14, 2015 and DPSS.CO.PD No.752/02.14.003/2020-21 dated December 04, 2020)

b. E-mandates for recurring (other than the first) transactions:

Transactions in respect of: a) subscription to mutual funds; b) payment of insurance premium and c) credit card bill payments, for values upto Rs1,00,000, and in respect of all other categories, for values upto Rs15,000/-. (Reference: CO.DPSS.POLC.No.S-882/02.14.003/2023-24 dated December 12, 2023 and other related circulars issued by RBI on “Processing of e-mandates for recurring transactions”)

c. Utility through select Prepaid Instruments / NETC:

The following categories of instruments/systems:

1. Prepaid Instruments (PPIs) issued under PPI – Mass Transit Service and Gift PPIs. (Reference: CO.DPSS.POLC.No.S-479/02.14.006/2021-22 dated August 27, 2021).
2. Transactions in the National Electronic Toll Collection (NETC) System (Reference: DPSS.CO.PD No.1227/02.31.001/2019-20 dated December 30, 2019).

d. Small value digital payments in offline mode:

Offline payment transactions up to a value of Rs500/-. (Reference: CO.DPSS.POLC.No.S1264/02-14-003/2021-2022 dated January 03, 2022).