Reserve Bank of India (RBI) released draft directions on February 7, 2025, proposing the implementation of an Additional Factor of Authentication (AFA) for cross-border Card Not Present (CNP) transactions. This measure, aligned with RBI’s Payments Vision 2025, seeks to enhance transaction security and mitigate risks. As per the draft, card issuers must validate AFA for non-recurring cross-border CNP transactions when requested by overseas merchants or acquirers. Card issuers are also required to register their Bank Identification Numbers (BINs) with card networks and establish risk-based mechanisms for managing such transactions.
Public feedback on these draft directions is invited until March 10, 2025, via email or post to the RBI’s Department of Payment and Settlement Systems in Mumbai. The directions, issued under the Payment and Settlement Systems Act, 2007, will take effect three months from the final circular’s issuance.
This initiative extends AFA requirements already mandated for domestic card transactions to cross-border transactions, aiming to provide an additional layer of security and align with global best practices in payment security.
RESERVE BANK OF INDIA
February 7, 2025
Additional Factor of Authentication (AFA) for cross-border Card Not Present (CNP) transactions – Draft Directions
As announced in Statement on Developmental and Regulatory Policies dated February 07, 2025, Reserve Bank of India today placed on its website draft directions on Additional Factor of Authentication (AFA) for cross-border Card Not Present (CNP) transactions for public comments.
The draft directions require a card issuer to validate AFA for non-recurring cross-border CNP transaction, whenever a request for AFA is raised by the overseas merchant or the overseas acquirer.
Comments / feedback on the draft directions may be sent by email or by post to the Chief General Manager-in-Charge, Department of Payment and Settlement Systems, Reserve Bank of India, Central Office, 14th Floor, Shahid Bhagat Singh Marg, Mumbai-400001, on or before March 10, 2025.
(Puneet Pancholy)
Chief General Manager
Press Release: 2024-2025/2114
RESERVE BANK OF INDIA
DRAFT CIRCULAR FOR COMMENTS
CO.DPSS.POLC. No. S-**** / 02-14-003 / 2024-25
Date of Issue
All Payment System Providers and Payment System Participants (banks and non-banks)
Madam / Dear Sir,
Additional Factor of Authentication (AFA) for cross-border Card Not Present (CNP) transactions – DRAFT
The Reserve Bank of India (hereafter, the Bank) had mandated AFA for domestic card transactions, vide circular RBI / DPSS No. 1501 / 02.14.003 / 2008-2009 dated February 18, 2009 on “Credit/Debit Card transactions-Security Issues and Risk mitigation measures”, andDPSS.PD.CO. No.223/02.14.003/2011-2012 dated August 4, 2011 on “Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions” to provide an additional layer of security. The Bank’s Payments Vision 2025 envisaged a similar experience for cross-border card transactions.
2. Accordingly, it is now proposed to mandate AFA for cross-border Card Not Present (CNP) transactions as detailed below:
a) Card issuers shall register their BINs with card networks for AFA validation.
b) Card issuers shall validate AFA1 for non-recurring2 cross-border3 CNP transaction, whenever a request for AFA is raised by the overseas merchant or the overseas acquirer.
c) Card issuers shall put in place a risk-based mechanism for handling all cross-border transactions.
3. These directions are being issued in exercise of the powers conferred under Section 18
read with Section 10(2) of the Payment and Settlement Systems Act, 2007 (Act 51 of 2007) and shall come into force three months from the date of this circular.
Yours faithfully,
Chief General Manager-in-Charge
Notes:-
1 As defined in RBI circular RBI / DPSS No. 1501 / 02.14.003 / 2008-2009 dated February 18, 2009 on “Credit/Debit Card transactions-Security Issues and Risk mitigation measures”
2 Recurring transactions defined in RBI direction DPSS.CO.PD.No.447/02.14.003/2019-20 dated August 21, 2019 on “Processing of e-mandate on cards for recurring transactions”, as amended from time to time.
3 A payment instruction wherein the card, issued by an Indian issuer, is used for undertaking a payment transaction favoring a merchant acquired by an overseas acquirer. For such transactions, outflow of foreign exchange is envisaged.
