Bankpulse
BanksHomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsRBI UniverseMethodologyGlossaryCircularsAskAnswersChangelogReviewsAbout
HomeCirculars › RBI/2010-2011/243

RBI Clarifies 2FA Mandate for Card-Not-Present Transactions

Live · in forceNo withdrawal recorded as of 20 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
Issued by RBI: 25 Oct 2010  ·  Decoded by BankPulse: 20 Jun 2026, 12:30 IST
⏱ ~2 min read
📄 Official RBI source ↗
Quick answerRBI clarifies that the additional authentication mandate for card-not-present transactions applies to all Indian-issued cards used on domestic merchant sites, regardless of overseas payment gateway links. Foreign-issued cards on Indian sites are exempt for now.

What changed

RBI issued a clarification on October 25, 2010, regarding the scope of the additional authentication mandate for card-not-present transactions. It confirmed that the mandate covers all transactions using Indian-issued cards on merchant sites where no foreign exchange outflow occurs, even if the payment gateway is overseas. Foreign-issued cards used on Indian merchant sites remain exempt from this requirement.

What it means for you

Banks must ensure that all online and IVR transactions using Indian-issued cards on domestic merchant sites include an additional authentication factor not visible on the card. Linking to an overseas payment gateway does not exempt these transactions. This strengthens security for domestic e-commerce while keeping cross-border card usage rules clear.

What you must do

Who it affects

All scheduled commercial banks including RRBs, Urban co-operative banks, State co-operative banks, District central co-operative banks, Authorised card payment networks

Does the additional authentication mandate apply to Indian cards used on foreign websites?

The mandate applies to Indian-issued cards used on merchant sites where no foreign exchange outflow is involved. For transactions on foreign websites involving forex outflow, the mandate is not addressed in this circular; banks should refer to other RBI guidelines.

Are foreign-issued cards used on Indian merchant sites exempt from this mandate?

Yes, the mandate is not applicable for cards issued outside India when used on Indian merchant sites, as per this clarification.

What is the effective date for IVR transactions under this mandate?

The mandate was extended to IVR transactions effective January 1, 2011, as per a previous RBI circular dated April 23, 2010.

Track this rule
⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · decoded & published by BankPulse · 20 Jun 2026, 12:30 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=6055&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.