Page 60 - Banking Finance October 2025
P. 60

RBI CIRCULAR

                    transaction favouring a merchant acquired by  7. Interoperability / Open Access
                    an overseas acquirer. For such transactions,  System Providers and System Participants shall offer
                    outflow of foreign exchange is envisaged.    authentication or tokenisation service that is acces-
                 e. Digital Payment Transaction shall have the   sible to all the applications / token requestors func-
                    same meaning as “Electronic Funds Transfer”  tioning in that operating environment for all use cases
                    as defined in the PSS Act, 2007.             / channels or token storage mechanisms.
                 f.  Factor of Authentication: Credential of the  Note – Operating environment includes device hard-
                    customer which is used for authentication. The  ware, operating system, etc.
                    factors of authentication can be from “some-  The terms, ‘tokenisation’, ‘token requestor’, ‘use cases/
                    thing  the  user  has”,  “something  the  user  channels’ and ‘token storage mechanisms’ shall have
                    knows” or “something the user is” and may    the same meaning as assigned to them in the RBI di-
                    comprise, inter-alia, password, SMS based OTP,  rections on “Tokenisation – Card Transactions” dated
                    passphrase, PIN, card hardware, software to-  January 08, 2019, as amended from time to time.
                    ken, fingerprint, or any other form of biomet-
                    rics (device native or Aadhaar based).    8. Risk based approach
                                                                 Issuers may, in line with their internal risk manage-
                 g. Issuer: A bank or a non-bank that maintains  ment policies, identify transactions for evaluation
                    the customer’s account from which payment    against behavioural / contextual parameters such as
                    is made, such as a deposit account or a credit  transaction location, user behaviour patterns, device
                    line or a prepaid instrument.
                                                                 attributes, historical transaction profile, etc. Based on
             II. Words and expressions used but not defined in these  the perceived risk associated with the transaction,
                 directions and defined in the PSS Act, 2007 shall  additional checks beyond the minimum two-factor au-
                 have the meanings assigned to them in that Act.  thentication may be resorted to. Issuers may also ex-
          6. Principles  for  authentication of  digital  payment  plore using DigiLocker as a platform for notification
             transactions                                        and confirmation for high-risk transactions.
             The technology and process deployed for authenticat-  9. Responsibility of the issuer
             ing a payment instruction by the Payment System Pro-  An issuer shall ensure the robustness and integrity of
             vider / Payment System Participant(s) shall comply  the authentication mechanism before deployment.
             with the following principles:
             a. Minimum two factors of authentication            If any loss arises out of transactions effected without
                 All digital payment transactions shall be authen-  complying with these directions, the issuer shall com-
                 ticated by at least two distinct factors of authen-  pensate the customer for the loss in full without de-
                 tication as defined in paragraph-5(f), unless ex-  mur.
                 empted.                                         Issuers shall ensure adherence to the provisions of Digi-
                 Note - Issuers may, at their discretion, offer a  tal Personal Data Protection Act, 2023.
                 choice of authentication factors to their custom-  10. Cross-border transactions
                 ers in compliance with these directions.        The directions outlined above are not applicable to
             b. At least one of the factors to be dynamic        cross-border digital payment transactions. However,
                 It shall be ensured that for digital payment trans-  card issuers shall, by October 01, 2026, put in place a
                 actions, other than card present transactions, at  mechanism to validate non-recurring, cross-border
                 least one of the factors of authentication is dy-  card not present (CNP) transactions, where request
                 namically created or proven, i.e., the proof of  for authentication is raised by an overseas merchant
                 possession of the factor, being sent as part of the  or overseas acquirer. To ensure compliance, card issu-
                 transaction, is unique to that transaction.     ers shall register their Bank Identification Numbers
             c.  Robust                                          (BINs) with card networks.
                 The factor of authentication shall be such that  Further, a risk-based mechanism for handling all cross-
                 compromise of one factor does not affect reliabil-  border CNP transactions shall also be put in place by
                 ity of the other.                               card issuers by October 01, 2026.


            54 | 2025 | OCTOBER                                                            | BANKING FINANCE
   55   56   57   58   59   60   61   62   63   64   65