RBI Mandatory 2FA, April 2026: UPI, Card and Wallet Readiness

From 1 April 2026, the Reserve Bank of India requires an Additional Factor of Authentication (AFA) on every digital payment transaction, regardless of rail, value, or device — UPI, cards (card-present and card-not-present), wallets, prepaid instruments, and cross-channel flows. Banks, NBFCs, Payment Aggregators (PAs), and Payment Gateways (PGs) that have not re-tested authentication coverage against the RBI IT Governance, Risk, Controls and Assurance Practices Master Direction and the Cyber Crisis Management Plan (CCMP) are exposed to supervisory action, license review, and direct financial penalties. This guide is the operational readiness checklist — scope, VAPT testing plan, gap analysis template, and penalty exposure — that we walk our regulated clients through.

The 1 April 2026 deadline is not a new principle — RBI has required two-factor authentication on card-not-present transactions since the 2009 circular on securing card payments. What changes on 1 April 2026 is scope expansion and exemption removal. The Reserve Bank of India has folded the 2FA / AFA requirement into the broader Master Direction on Digital Payment Security Controls and explicitly extended it to every Payment System Operator (PSO) regulated under the Payment and Settlement Systems Act, 2007.

The practical effect: low-value contactless card transactions below ₹5,000, recurring e-mandates above the previous ₹15,000 OTP threshold, UPI small-value PIN-less flows, and tokenised in-app payments must now demonstrate a documented second factor — something the customer has, knows, or is — that is cryptographically distinct from the first factor and logged in a tamper-evident audit trail.

RBI has clarified that "dynamic" factors qualify only if they meet four tests: independence from the primary credential, single-use validity, replay resistance, and binding to the specific transaction (amount, payee, and timestamp). Static OTPs delivered over SMS continue to qualify under the mandate but are explicitly flagged as a "transitional" control — entities are expected to publish migration roadmaps to cryptographic device-bound factors (FIDO2, secure-enclave keys, or RBI-approved soft tokens) in their FY26 board cyber reports. CISOs who plan to leave SMS-OTP as their only second factor past 2026 should expect supervisory questions during the next inspection cycle.

The mandate cuts across every digital payment channel a regulated entity touches. We map it across four buckets when we scope a readiness audit:

• UPI: The NPCI UPI 2.0+ flow already enforces device binding + UPI PIN. The new requirement extends to UPI Lite, UPI on Credit Line, and UPI International — where pre-funded wallet or pre-authorised credit lines previously allowed PIN-less debits up to defined caps. From April 2026, the cap-based exemption stands only if the device binding + behavioural-biometric signal is itself logged as an independent factor.
• Cards: Card-present (POS / contactless) transactions over ₹5,000 already require PIN. Below that, NFC tap-and-pay must now carry a cryptographic device attestation (EMV ARQC validation logged) as the second factor. Card-not-present requires 3-D Secure 2.x with risk-based AFA — and the issuer's RBA engine itself becomes in-scope for VAPT.
• Wallets and PPIs: Closed-loop and semi-closed wallets must enforce AFA at load, transfer, and redemption. The previous "small-value PPI" carve-out is removed.
• Cross-channel: Any transaction that originates on one rail and settles on another (UPI-funded wallet load, card-to-UPI mandate, etc.) must carry the AFA artefact end-to-end. This is where most PAs and PGs fail their first audit.

The cross-channel piece is the one most regulated entities underestimate. RBI's NPCI-aligned guidance is explicit: the authentication artefact must travel with the transaction object, not just exist in the originating system's logs. If your PG offloads tokenisation to a third-party vault, the AFA evidence chain has to be reconstructable from your records alone during a supervisory review.

The 2FA mandate does not sit in isolation. It interlocks with two other RBI instruments that are already in force and will be tested together during the next inspection:

The Master Direction on IT Governance, Risk, Controls and Assurance Practices (effective 1 April 2024 for commercial banks and NBFCs in the upper layer) requires that authentication controls be (a) approved by the IT Strategy Committee of the board, (b) tested annually by an independent auditor, and (c) covered by a documented change-management process. A 2FA rollout that bypasses the IT Strategy Committee minutes is a finding in itself, even if the technical control is sound. We have seen this trip up two NBFC clients in their 2025 inspection cycle.

The Cyber Crisis Management Plan (CCMP), mandated by the Indian Computer Emergency Response Team (CERT-In) and folded into RBI's cyber resilience framework, requires that authentication-system outages be classified as a Tier-1 cyber incident and reported to CERT-In within 6 hours of detection — the timeline established under the CERT-In April 2022 directions. Your CCMP playbook must therefore include a 2FA-system-failure runbook with named owners, fallback authentication procedures, customer-communication templates, and the CERT-In incident reporting workflow. During our tabletop exercises, this is the runbook most often missing.

For payments leadership, the practical takeaway: treat the 2FA programme as one workstream inside a tri-control delivery — Authentication mandate, IT Governance Master Direction evidence, and CCMP runbook. Splitting them across three different vendors or three different internal teams is how compliance gaps open. Our compliance audit practice sequences these three so the same evidence pack satisfies all three inspectors.

Not every "second factor" qualifies. Here is the pass/fail matrix we apply during readiness reviews:

The most common failure pattern we see in PA/PG audits is the "two-knowledge-factors masquerading as 2FA" trap — for instance, a card PAN entry plus a CVV (both static knowledge factors) being counted as AFA on legacy gateway endpoints. This pattern was a contributing factor in several mid-2020s card-data breaches across South and Southeast Asia, including incidents tracked under CVE classifications related to 3-D Secure 1.0 deprecation. RBI inspectors look for it specifically.

A 2FA readiness VAPT engagement is not a generic application pentest. The scope must be channel-aware and evidence-driven. Here is the scoping template our offensive engineering team uses for regulated payment entities:

1. Authentication flow mapping: Document every transaction-initiation path across web, mobile, IVR, USSD, and partner API. Map each path to the second-factor it invokes. Any path with no documented factor is a finding before testing even starts.
2. Independence testing: Verify that compromise of factor 1 cannot derive factor 2. Common attacks tested: SIM-swap simulation against OTP delivery, mailbox-compromise replay against email OTP, session-fixation against app-push approval, and credential-stuffing chained with OTP-bypass.
3. Replay and timing: Tested against OWASP ASVS v4.0.3 section 2.7 (out-of-band verifier requirements) and NIST SP 800-63B AAL2 baselines. Each second-factor artefact must be single-use, time-bound (typically 60-120 seconds), and bound to the specific transaction context.
4. MITRE ATT&CK alignment: Reports map each finding to ATT&CK techniques — most often T1110.003 (password spraying), T1556.006 (multi-factor authentication interception), T1621 (MFA request generation, aka "MFA fatigue"), and T1539 (steal web session cookie).
5. 3-D Secure 2.x deep test: For card issuers and acquirers, the RBA engine itself is in-scope. We test the challenge/frictionless decision logic for bypass via header manipulation, device-ID spoofing, and adversarial scoring inputs.
6. Cross-channel evidence chain: Pick five real production transactions (anonymised) and ask the entity to reconstruct the AFA evidence from logs alone. If they cannot, the audit fails the cross-channel test.
7. Board-ready brief + technical report: Every engagement we ship for a regulated payment entity produces two artefacts — a 4-6 page board brief and a full technical report mapped to OWASP, CWE, MITRE ATT&CK, and the RBI Cyber Security Framework. This is exactly what the IT Strategy Committee and the supervisory inspector ask for.

Plan for a 4-6 week engagement window for a mid-sized PA/PG, 6-10 weeks for a Tier-1 bank, and budget for at least one retest cycle. Engagements run later than mid-January 2026 leave no buffer for fixes.

Use the following gap analysis template to convert the mandate into a tracked programme. Each row is owned by a named individual, has a target evidence artefact, and is reviewed weekly at the steering committee.

If you started this programme in mid-2026, you are on schedule. If you are starting now in June 2026, the runway is compressed — most regulated entities we are onboarding in Q2 FY27 are running VAPT in parallel with remediation rather than sequentially. That works only with a tightly-scoped engagement and a steering committee that meets weekly.

The cost of missing the 1 April 2026 deadline is not theoretical. RBI's enforcement playbook in recent years includes three escalating tiers, and we have seen all three applied during the FY24 and FY25 inspection cycles:

• Tier 1 — Monetary penalties under Section 30 of the Payment and Settlement Systems Act, 2007: Penalties of up to ₹10 lakh per contravention (or twice the amount involved, whichever is higher) with continuing penalties of up to ₹25,000 per day for ongoing non-compliance. For a PA processing 50,000+ daily transactions, this scales fast.
• Tier 2 — Business restrictions: RBI has, in multiple recent cases, ordered named PAs and card networks to stop onboarding new customers until specific cyber and authentication findings are closed. The 2022 supervisory action against a global card network (restored after remediation in 2023) and the 2023-24 PA onboarding freezes are the public examples. Revenue impact: a halted onboarding pipeline at a growth-stage PA can wipe 30-60% of forecast quarter revenue.
• Tier 3 — Licence implications: For PSOs operating under PSS Act authorisation, persistent non-compliance feeds into the periodic authorisation review. Authorisations have been allowed to lapse where cyber findings remained open across two inspection cycles.

Beyond RBI, there is parallel exposure under the Digital Personal Data Protection Act (DPDPA) 2023. The Data Protection Board can levy penalties of up to ₹250 crore for failure to take reasonable security safeguards — and an authentication bypass that leaks transaction data is precisely the failure mode the DPDPA targets. The Joint Parliamentary Committee report on data protection cited international precedents where regulators levied 4% of global turnover; DPDPA's ₹250 crore cap is the Indian analogue.

Add reputational cost: every named RBI enforcement order is published, indexed by financial press, and read by enterprise customers during vendor onboarding. The cheapest defensive control here is finishing the readiness programme on time.

Below are the questions we hear most often from CISOs, Heads of Payments, and compliance leads scoping this programme.

Ready to lock in your 2FA readiness audit before the April 2026 deadline? Our CERT-In empanelled team has run 1,200+ engagements including dozens of RBI-regulated payment stacks, and we ship the dual board-brief + technical report aligned to RBI Cyber Security Framework, OWASP, and MITRE ATT&CK. Start with our VAPT services page or reach the founders directly via Certbar contact — engagements booked before October 2026 leave room for retest closure before the deadline.