UPI, card payment changes: RBI’s new digital payment rules from April 1; Why OTP alone won’t work now
Under the new framework, two-factor authentication will become mandatory for all digital payments, meaning one-time passwords alone will no longer be sufficient to complete transactions
- Mar 30, 2026,
- Updated Mar 30, 2026 12:07 PM IST
From April 1, making a digital payment in India will come with an extra step, as the Reserve Bank of India tightens security rules to curb rising fraud risks across UPI, cards and wallet transactions.
Under the new framework, two-factor authentication will become mandatory for all digital payments, meaning one-time passwords alone will no longer be sufficient to complete transactions.
While the process may take slightly longer, the objective is clear: strengthen security and reduce unauthorised transactions.
What changes under the new rules
The biggest shift is the move to compulsory two-factor authentication for every transaction.
This means:
-
OTP alone will not be enough anymore
-
Every payment must go through at least two verification steps
-
These can include a PIN, password, biometric verification or secure tokens
In effect, every digital transaction will now pass through two layers of authentication.
Why OTP is no longer enough
Until now, most online payments have relied heavily on OTP-based verification. However, increasing instances of phishing, SIM-swap fraud, and other cyber scams have exposed gaps in the system.
Under the new rules:
-
OTP becomes just one part of the process
-
A second authentication step is required
-
The chances of unauthorised access are reduced
The aim is to make digital payments more resilient against evolving fraud methods.
What users will experience from April 1
The changes will be visible in day-to-day transactions.
-
Payments may take slightly longer due to added checks
-
Transactions on trusted devices may remain relatively smooth
-
New devices or higher-value payments could trigger additional verification
The system will also adopt risk-based authentication, where the level of security depends on the nature of the transaction and user behaviour.
Banks to bear greater responsibility
A key feature of the new rules is increased accountability for banks and payment platforms.
-
Institutions must ensure compliance with security standards
-
If fraud occurs due to system lapses, banks may be required to compensate users
-
Dispute resolution is expected to become faster
This shift places greater pressure on financial institutions to maintain robust systems.
International payments also covered
The RBI has indicated that similar authentication requirements will be extended to cross-border transactions, including international card payments.
Full implementation for such transactions is expected by October 2026, bringing global payments in line with domestic security standards.
Why the RBI has tightened rules
With digital payments growing rapidly in India, fraud risks have also increased.
The new rules are aimed at:
-
Reducing cyber fraud and scams
-
Building trust in digital payment systems
-
Strengthening the safety of UPI and card transactions
From April 1, making a digital payment in India will come with an extra step, as the Reserve Bank of India tightens security rules to curb rising fraud risks across UPI, cards and wallet transactions.
Under the new framework, two-factor authentication will become mandatory for all digital payments, meaning one-time passwords alone will no longer be sufficient to complete transactions.
While the process may take slightly longer, the objective is clear: strengthen security and reduce unauthorised transactions.
What changes under the new rules
The biggest shift is the move to compulsory two-factor authentication for every transaction.
This means:
-
OTP alone will not be enough anymore
-
Every payment must go through at least two verification steps
-
These can include a PIN, password, biometric verification or secure tokens
In effect, every digital transaction will now pass through two layers of authentication.
Why OTP is no longer enough
Until now, most online payments have relied heavily on OTP-based verification. However, increasing instances of phishing, SIM-swap fraud, and other cyber scams have exposed gaps in the system.
Under the new rules:
-
OTP becomes just one part of the process
-
A second authentication step is required
-
The chances of unauthorised access are reduced
The aim is to make digital payments more resilient against evolving fraud methods.
What users will experience from April 1
The changes will be visible in day-to-day transactions.
-
Payments may take slightly longer due to added checks
-
Transactions on trusted devices may remain relatively smooth
-
New devices or higher-value payments could trigger additional verification
The system will also adopt risk-based authentication, where the level of security depends on the nature of the transaction and user behaviour.
Banks to bear greater responsibility
A key feature of the new rules is increased accountability for banks and payment platforms.
-
Institutions must ensure compliance with security standards
-
If fraud occurs due to system lapses, banks may be required to compensate users
-
Dispute resolution is expected to become faster
This shift places greater pressure on financial institutions to maintain robust systems.
International payments also covered
The RBI has indicated that similar authentication requirements will be extended to cross-border transactions, including international card payments.
Full implementation for such transactions is expected by October 2026, bringing global payments in line with domestic security standards.
Why the RBI has tightened rules
With digital payments growing rapidly in India, fraud risks have also increased.
The new rules are aimed at:
-
Reducing cyber fraud and scams
-
Building trust in digital payment systems
-
Strengthening the safety of UPI and card transactions