RBI’s new rules for 2-factor authentication of digital payments

[s1t2y3a3m6]

RBI has announced a draft on Framework on Alternative Authentication Mechanisms for Digital Payment Transactions.

As per the draft, “Factor of Authentication: Any credential input by the customer which is verified for the purpose of confirming the originator of a payment instruction.

The factors of authentication are broadly categorised as below:

• Something the user knows (such as password, passphrase, PIN)

• Something the user has (such as card hardware or software token)

• Something the user is (such as fingerprint or any other form of biometrics).”

Unless otherwise specified in this framework, all digital payment transactions will be verified through the use of an additional factor of authentication. When determining the proper AFA for a transaction, issuers such as banks, non banks can use a risk-based methodology that takes into account the transaction value, origination channel, customer and/or beneficiary risk profiles, among other factors. Issuers must have a mechanism in place to notify customers of any eligible digital payment transactions almost instantly, as per the draft.

These are exempted from customer authentication:
Small value contactless card payments:
Small value card present transactions for values upto Rs 5000/- per transaction in contactless mode at Point of Sale (PoS) terminals.

E-mandates for recurring (other than the first) transactions:
Transactions in respect of:
a) subscription to mutual funds;
b) payment of insurance premium and
c) credit card bill payments, for values upto Rs 1,00,000, and in respect of all other categories, for values upto Rs 15,000/-.

Utility through select Prepaid Instruments / NETC:
The following categories of instruments/systems:
Prepaid Instruments (PPIs) issued under PPI – Mass Transit Service and Gift PPIs.

 

[Tejo]

Already same things live

 

[s1t2y3a3m6]

Already same things live

Where ? This has not been implemented yet.

 

[suhasa010]

Where ? This has not been implemented yet.

Like what?

All the things mentioned are already present.

 

[s1t2y3a3m6]

Like what?

All the things mentioned are already present.

Did you read what I had written on above post ?

This is in draft phase.

Till now you have to enter only OTP for transaction authentication.

After implantation of new draft you have to enter OTP with additional answer randomly about your personal information like below.

• Something the user knows (such as password, passphrase, PIN)
• Something the user has (such as card hardware or software token)
• Something the user is (such as fingerprint or any other form of biometrics).”

 

[yolofino]

Will mutual fund SIPs need OTP or additional auth from now on?

 

[Trust Me]

This is in draft phase.

Till now you have to enter only OTP for transaction authentication.

After implantation of new draft you have to enter OTP with additional answer randomly about your personal information like below.

• Something the user knows (such as password, passphrase, PIN)
• Something the user has (such as card hardware or software token)
• Something the user is (such as fingerprint or any other form of biometrics).”

Well, isn't OTP already the second factor (in netbanking, for example), since one needs to use a password to enter netbanking to start with?!

Some banks do already require a third factor in addition, like a transaction password.

Some banks (like the SBI) require 2FA even to login to netbanking!
.

 

[s1t2y3a3m6]

Well, isn't OTP already the second factor (in netbanking, for example), since one needs to use a password to enter netbanking to start with?!

Some banks do already require a third factor in addition, like a transaction password.
.

Now You are facing this type of authentication only on net banking login of some banks but after implantation your all card transactions have to go through this type of authentication.