Digital payment transactions: Password, passphrase, PIN can be used as additional factor authentication
Password, passphrase, PIN, card hardware or software token and biometrics can also be used as additional factor(s) of authentication (AFA) for authenticating digital payment transactions, according to the ‘Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions” issued by RBI.
While no specific factor was mandated for authentication, the digital payments ecosystem has primarily adopted SMS-based OTP as AFA.
The central bank noted that technological advancements have made available alternative authentication mechanisms.
Hence, it wants payment system operators (payment system providers and payment system participants – banks and non-banks) to put in place the aforementioned alternative authentication mechanisms.
RBI said the framework is to enable the ecosystem to adopt alternative authentication mechanisms. This will widen the choice of authentication factors available to payment system operators and users, it added.
All digital payment transactions, other than card present transactions, should ensure that one of the factors of authentication is dynamically created – that is the factor is generated after initiation of payment is specific to the transaction and cannot be reused, per the Framework.
The factors of authentication (any credential input by the customer which is verified for the purpose of confirming the originator of a payment instruction) will broadly include — something the user knows (such as password, passphrase, PIN); something the user has (such as card hardware or software token); and something the user is (such as fingerprint or any other form of biometrics).
RBI said issuers (bank/non-bank) may adopt a risk-based approach in deciding the appropriate AFA for a transaction, based on the risk profile of the customer and/or beneficiary, transaction value, channel of origination, etc.
Issuers have to obtain explicit consent before enabling any new factor of authentication for the customer. The customer should also be provided a facility to deregister from using the new factor of authentication.
The digital transactions that are exempt from the AFA requirement include small value card present transactions for values upto ₹5,000 per transaction in contactless mode at Point of Sale (PoS) terminals; and transactions in respect of: a) subscription to mutual funds; b) payment of insurance premium and c) credit card bill payments, for values upto ₹1 lakh, and in respect of all other categories, for values up to ₹15,000.
Further, utility payments through select Prepaid Instruments / NETC and small value (up to Rs 5,000) digital payments in offline mode will be exempt from the AFA requirement.