Regulatory Hotline December 09, 2016

‘Two Factor Authorization’ Requirement Relaxed: Welcome Step in the Demonetization Era

  • Earlier, all online transactions through credit / debit cards issued in India were subject to a mandatory ‘second factor authorization’.
  • Reserve Bank of India directs that this additional factor authorization requirement may be relaxed, at the option of the customer, for transactions of up to INR 2,000 (approx. USD 30).
  • Banks and authorized card networks directed to educate customers about risks involved in opting not to be subject to the additional factor authorization. 


India continues to be one of the high-cash usage economies with more than 78% of the transactions executed with fiat currency1. While there may be various reasons which may be attributed to the slow adoption of digital payments in India ( such as low internet penetration, challenges in ensuring use of banking facilities by all), the Government of India has been taking significant steps and has launched several initiatives to promote the transition to the digital payments. This includes the recent step taken by the Government of India to demonetize existing INR 500 (approx. USD 7.5) and INR 1,000 (approx. USD 15) denominations of currency in lieu of fresh INR 500 and INR 2,000 (approx. USD 30) notes being circulated.

India’s central bank, i.e. the Reserve Bank of India (“RBI”) has on December 6, 2016, issued a notification through which the requirement of an ‘additional factor of authentication’ (“AFA”) for card not present (“CNP”) transactions up to INR 2,000 (approx. USD 30) could be relaxed by banks and authorized card networks, at the option of the customer (“New Notification”).

RBI’s Mandate Prior to the New Notification

Earlier, the RBI had directed2 banks to mandatorily put in place an AFA on information that is not visible on the credit / debit cards used in CNP transactions. This ‘second factor’ authentication, as commonly known to the public, is based on information known or available to the card holder but is not printed on the card. Since this mandate by the RBI, banks have implemented the AFA requirement primarily though one time passwords being immediately sent to the users’ registered mobile number, or through use of internet passwords. This mandate by the RBI was applicable to all credit / debit cards issued in India and where there was no outflow of foreign exchange contemplated. Further, this mandate was applicable to all recurring transactions contemplated between merchants and cardholders.

The New Notification

The New Notification3 issued by the RBI relaxes the requirement of AFA for CNP transactions of up to INR 2,000 (approx. USD 30). Authorized card networks and card issuing banks may choose to relax the AFA requirement for customers upon taking their consent. Customers opting for this facility would need to go through a one-time registration process with the issuing bank. Further, lower transaction limits may be set by the customer in opting out of the AFA requirements.

In adhering to the New Notification and facilitating and giving customers an option to opt out of the AFA requirements, banks and authorized card networks would need to: 

  1. Conduct ‘velocity’ checks to ascertain the value and frequency of transactions in which the AFA requirement is not carried out,
  2. Educate and make customers aware that it is optional for them to opt out of the AFA requirement and that they are free to use other forms of AFA requirements (although the RBI has not specified other forms of AFA requirements that may be adopted),
  3. Educate and make customers aware of the mechanism and risk involved in opting out of the AFA requirements, and
  4. Indicate the maximum liability of the customer in the event of them opting out of the AFA requirements. 

In addition to the above, the New Notification provides that banks and authorized card networks should bear the full liability in the event of a security breach or compromise in the authorized card network.


The immediate take-away from the New Notification is that customers availing of this facility would not need to re-enter the card details for every transaction on a merchant website and also go through an AFA by way of a one-time password or internet password. In such cases, customers will not be required to re-enter the card details for every transaction at merchant locations and would only need to use their login credentials to avail of the facility.

The issuance of the New Notification is a welcome step by the RBI in the wake of ‘demonetization’ in India and should encourage the adoption of digital payment methods. It is clear that the RBI has made an attempt to aid customer convenience for low value card transactions, given the current liquid cash crunch in the country. This facility is an added convenience for customers in making digital payments to e-commerce website operators, radio taxi operators, depositing money in e-wallets, and in other online transactions through their credit / debit cards. Other initiatives introduced by the Government of India to foster financial inclusion and promote digital payments include the Unified Payment Interface, National Automated Clearing House, RuPay and the Bharat Bill Payment System.

Further, as per recent media reports,4 the Government is also contemplating waiving service tax chargeable on services by an acquiring bank in relation to settlement of an amount up to INR 2,000 (approx. USD 30) through debit or credit cards, in a bid to promote digital transactions.

Only time will tell us the net effect of such initiatives aimed to foster financial inclusion and promote digital payments.

Aaron Kamath, Rakhi Jindal & Vivek Kathpalia

You can direct your queries or comments to the authors

1 Digital Payments 2020, The Making of A $500 Billion Ecosystem In India (BCG & Google), July 2016 available at

2 Vide Notification RBI/2014-15/190 dated August 22, 2014; “Security Issues and Risk Mitigation measures related to Card Not Present (CNP) transactions”; available at:; along with other circulars and notifications.

3 Vide Notification RBI/2016-17/172 dated December 6, 2016; “Card Not Present transactions – Relaxation in Additional Factor of Authentication for payments up to 2000/- for card network provided authentication solutions”; available at:

4 Government to waive service tax on card transactions of up to Rs 2,000, dated December 8, 2016. Available at:

Nishith Desai Associates 2013. All rights reserved.