Due to the increased use of Credit/Debit Cards in the country, RBI reviewed various options

to enhance the security of online card transactions.

1. Additional Authentication Validation introduced for all on-line card not present
(CNP) transactions except Interactive Voice Response (IVR) transactions

Via circular RBI/DPSS/No.1501/02.14.003/2008-2009 dated February 18, 2009, a directive

was issued making it mandatory for banks to put in place additional authentication/validation
based on information not visible on the cards for all on-line card not present (CNP)
transactions except IVR transactions.

Additional Authentication Validation extended to IVR transactions

This mandate was further extended to all CNP transactions including IVR transactions. RBI
directed that after January 31, 2011 no IVR transactions shall be permitted unless such
transactions comply with the additional factor authentication requirement.

This directive was issued under section 18 of Payment and Settlement Systems Act 2007,
(Act 51 of 2007).

AFA introduced to Recurring Transactions

Banks had been advised vide notification dated December 31, 2010 to revert on the
introduction of additional factor of authentication(AFA) for (a) recurring transactions based
on standing instructions given to the merchants by the cardholders indicating the category of
utility services and (b) Travel and hotel industry bookings and other MOTO transactions
[ Para 4].
Via notification dated August 4, 2011, it was made mandatory by RBI to put in place AFA for
all CNP transactions indicated in para 4 (recurring/ MOTO) as per direction of notification
dated December 31, 2010 with effect from May 01, 2012.
From the Notification dated September 22, 2011, it is abundantly clear that RBI made it
mandatory for banks to put in place AFA for all on-line/ IVR/MOTO/recurring transactions
etc. based on information not available on the credit/debit /prepaid cards.

AFA relaxation for transactions to a maximum limit of Rs. 2000/- for contactless
payments

According to a Notification dated May 14, 2015, RBI relaxed the AFA requirement for
transactions for a maximum value of Rs.2,000/- per transaction across all categories of
merchants in the country accepting contactless payments.

AFA applicable to debit and credit cards in PPIs

According to a Master Direction issued by RBI, Cards (physical or virtual) shall necessarily
have AFA as required for debit cards, except in case of Pre-Payment Instruments (PPI)
issued under PPIs for Mass Transit Systems1

AFA made applicable to tokenised transactions

All extant instructions of Reserve Bank on safety and security of card transactions including
AFA / PIN entry shall be applicable for tokenised 2 card transactions also, as per the
notification issued on January 08, 2019.

Processing of E-Mandate on e-mandate on credit and debit cards for recurring

transactions with AFA limits

Via circular dated Aug 21, 2019, RBI permitted processing of e-mandate on credit and debit
cards for recurring transactions (merchant payments) with AFA limited to Rs 2,000. E-
Mandate is a payment service initiated by RBI and the National Payments Corporation of
India (NPCI). It provides the underlying infrastructure for businesses to collect recurring
payments in India. Recurring payments or Subscriptions are automatic payments. A
customer authorizes a service provider to debit fixed or variable amounts at regular intervals.

E-mandate made applicable to UPI Transactions and later limit of AFA relaxation
enhanced to Rs 5000/-

In line with the measures proposed for furthering digital payments announced vide, the RBI
Press Release dated November 8, 2019, extended processing of e-mandate to cover UPI
transactions as well via circular dated Jan 10, 2020. Based on requests received from
stakeholders and given the sufficient protection available to customers, it was announced in
the Press Release, Statement on Developmental and Regulatory Policies dated December
4, 2020 that the aforesaid transaction limit for AFA relaxation to be increased ₹ 5,000/- per
transaction, with effect from January 1, 2021, via circular dated Dec 4, 2020

AFA limit enhanced for contactless cards to Rs 5,000/-

To make transactions more secure, RBI permitted he option of switch on / off or to set limits
for various card features, including for contactless transactions via circular dated Jan 15,
2020. Keeping in mind the Covid pandemic, RBI issued a Press Release Statement on
Developmental and Regulatory Policies dated December 4, 2020 highlighting the usefulness
1
These are semi-closed PPIs issued by mass transit system operators. Apart from the mass transit system, such
PPI-MTS can be used only at other merchants whose activities are allied / related to or are carried on within the
premises of the transit system. They can be reloadable in nature. There is no need of AFA for transactions using
such PPIs. Eg: Cards for Buses, Taxis etc.
2
Tokenisation refers to replacement of actual card details with an alternate code called the “token”, which shall
be unique for a combination of card, token requestor (i.e. the entity which accepts request from the customer for
tokenisation of a card and passes it on to the card network to issue a corresponding token.
of contactless cards. Pursuant to the press release, RBI announced that per transaction limit
for AFA relaxation for contactless card transactions will be increased to ₹ 5,000/-., via
circular dated Dec 4, 2020.