Key Highlights
- Reserve Bank of India will mandate Additional Factor Authentication for cross‑border Card‑Not‑Present (CNP) purchases made with Indian‑issued cards.
- The new rule aims to bring the same fraud‑prevention standards to overseas transactions as those already applied domestically.
- Authentication may involve a one‑time password (OTP) or biometric verification such as fingerprint or facial scan.
- Stakeholders—including banks, payment gateways and merchants—will be consulted before final rollout.
- Adoption is expected to boost consumer confidence and curb illicit use of card details in global e‑commerce.
Detailed Insights
The RBI’s latest directive addresses a glaring security gap: while Indian shoppers have long benefited from Additional Factor Authentication (AFA) for domestic online purchases, their cross‑border transactions have remained vulnerable. By extending AFA to international Card‑Not‑Present payments, the central bank seeks to neutralise the heightened fraud risk inherent in the absence of a physical card. Under the proposal, each overseas purchase will trigger an extra verification step—either an OTP dispatched to the cardholder’s registered mobile number or a biometric check (fingerprint or facial recognition). The regulator will circulate a draft circular to gather feedback from the payments ecosystem, after which implementation will commence. This move dovetails with the RBI’s broader digital‑payment security framework, which already requires a dynamically generated authentication factor for every non‑card‑present transaction.
Key Concepts
- Additional Factor Authentication (AFA): A layered security protocol that obliges users to confirm a transaction through two or more independent methods, such as something they know (OTP, PIN) and something they are (biometrics).
- Card‑Not‑Present (CNP) Transaction: An online or remote purchase where the physical payment card is not presented to the merchant, making it more susceptible to credential‑theft.
- One‑Time Password (OTP): A single‑use numeric code sent to the cardholder’s mobile device, valid for a short time window and used to verify the user’s identity.
- Biometric Authentication: Verification based on unique physiological traits—typically fingerprint or facial features—integrated into the transaction flow.
- Dynamic Authentication Factor: A security element that changes with each transaction, ensuring that fraudsters cannot reuse captured credentials.