[Updated] Rejoice! RBI Removes 2 Factor Authentication For Transactions Under Rs. 2000


RBI 2FA removal

Nearly 3 months after we reported (see below) that RBI is planning to remove the much restricting 2 factor authentication on small value transactions, it is finally been made official.

RBI has come out with a circular announcing that they have now removed requirement of Additional Factor of Authentication for small value card present transactions. However, RBI has also stated that 2FA will not be required only if the card can offer contactless card payments that uses NFC technology!

So, while ordinary cards will still need to adhere to 2 factor authentication, this requirement will be removed in case of NFC based cards.

Here are details of announcement as per the RBI circular.

[box type=”shadow” ]

4. It has been decided to relax the extant instructions relating to the need for additional factor of authentication requirements for small value card present transactions only using contact-less card payments using NFC. In this regard, it is advised that –

  1. Relaxation for AFA requirement is permitted for transactions for a maximum value of Rs 2,000/- per transaction; banks are free to set lower per transaction limits.
  2. the contactless cards should necessarily adhere to EMV standards.
  3. Suitable velocity checks (daily, monthly, etc) shall be put in place by banks as agreed upon by the customer.
  4. for transaction value above the threshold limit of Rs 2000/- PIN (AFA) will be mandatory.

5. Further, in the interest of customer protection the banks are also advised:

  1. to clearly explain to customers about the technology, its use, risks and liability while issuing contact less/ NFC cards.
  2. to clearly indicate the maximum liability devolving on the customer, if any, at the time of issuance of such cards, along with the responsibility of the customer to report the loss of such cards to the bank immediately through multiple channels made available by the bank.
  3. to put in place robust mechanisms for seamless reporting of lost/stolen cards which can be accessed through multiple channels (website, phone banking, SMS, IVR etc.).

6. However, it may be noted that the above relaxations shall not apply to:

  1. ATM transactions irrespective of transaction value.
  2. Card not Present transactions(CNP).


[Earlier, written in Dec 9th, 2014]

2 Factor Authentication was made compulsory for all online transactions starting December 1st. This was done by Reserve Bank of India to implement safety and security for online buyers.

While it was good from the security perspective, it has created lot of hassles for online buyers, to the point that they cannot make transactions altogether on many international sites!

Looks like RBI has taken note of this – In one of our previous articles, we had pointed out that while security is necessary, RBI needs to come up with a balanced solution that does not create hassles for making online purchases. Implementation of 2FA is a big negative for making any international transactions.

While I am not sure whether they have a balanced solution in place, they have something that will make many Indian consumers happy.

It is very likely that RBI will soon come up with updated guidelines for eCommerce transactions, where 2 factor authentication will not be necessary for low ticket transactions.

While the exact amount is not finalized, it seems that the lower limit at which the 2 Factor Authentication will kick-in will be somewhere around Rs.3000 to Rs. 5000.

RBI Circular

RBI Deputy Governor H. R. Khan mentioned while speaking at  Inclusive Finance India Global Summit, “One area is that we are looking at small payments where we have two-factor authentication. Whether we can create a system where we can avoid the second factor authentication so that the small transactions can go… (For) arrangement between customer liability and provider liability, we can work out something. We are discussing with banks,”. He added, “Maybe, we will go for a small amount where we need not have second factor authentication. That amount could be (Rs) 1,000, 2,000 or 3,000,”

If the need for 2FA is done away for smaller transactions of upto Rs. 3000, majority of transactions should not have a problem.

Most of the international online payments by Indians include smaller sub $50 hosting bills, buying certain digital goods etc. Without 2FA, it will be extremely easy for Indians to make these payments.

The new guidelines are expected to come in-force in less than a month’s time.

  1. aksshay sharma says

    If such so then why still people can’t add their debit cards on google play. Why google play and apple store accept credit cards only?

  2. prashantn says

    Yes, I agree with Girish. A monthly cap too like say INR10000/- should be in place

  3. Girish A says

    Time to get card-protection-plan or wallet insurance kind of things :(
    So anyone with card details can transact online by entering the details. May be by transacting the below the limit of 2FA i.e. Rs. 900 and that too for multiple times.
    They could have thought of alternative solutions instead of bypassing 2FA. –

Leave A Reply

Your email address will not be published.

who's online