RBI Mandates Extra Authentication for All Card-Not-Present Transactions by May 2012

Live · in forceNo withdrawal recorded as of 20 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.

Issued by RBI: 04 Aug 2011 · Decoded by BankPulse: 20 Jun 2026, 07:26 IST

⏱ ~2 min read

Quick answerRBI has directed banks to implement additional factor of authentication for all card-not-present (CNP) transactions, including IVR, by May 1, 2012. Issuers must reimburse customers for losses from non-compliant transactions after that date.

What changed

RBI extended the mandatory additional authentication requirement to all CNP transactions previously listed in its December 31, 2010 circular, with a compliance deadline of May 1, 2012. Previously, only certain CNP transactions (excluding IVR) were covered from August 2009, and IVR was added from February 2011. Now, no CNP transaction category is exempt.

What it means for you

Banks must ensure every online card transaction without the card's physical presence uses a second authentication factor (like OTP or password) by May 2012. Failure to do so makes the issuer bank liable for any customer losses from unauthorized transactions. This tightens security for cardholders but requires banks to upgrade systems and coordinate with payment networks.

What you must do

Audit all CNP transaction categories to ensure additional authentication is in place for those listed in the December 31, 2010 circular by May 1, 2012.
Update IT systems and merchant agreements to support additional factor authentication for IVR and other CNP transactions.
Prepare a customer complaint and reimbursement mechanism for losses arising from non-compliant transactions after the deadline.
Coordinate with card payment networks to implement the required authentication solutions.

Who it affects

All scheduled commercial banks including RRBs, Urban co-operative banks, State and district central co-operative banks, Authorised card payment networks, Card-issuing banks

What is the deadline for implementing additional authentication for all CNP transactions?

The deadline is May 1, 2012. All CNP transactions listed in the December 31, 2010 circular must have an additional factor of authentication by this date.

What happens if a bank processes a CNP transaction without additional authentication after the deadline?

If a customer complains about a loss from such a transaction, the issuer bank must reimburse the customer without any objection.

Does this circular apply to IVR transactions?

Yes, IVR transactions were already covered from February 1, 2011, and this circular confirms they are included in the mandatory additional authentication requirement.

AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · decoded & published by BankPulse · 20 Jun 2026, 07:26 IST

Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=6657&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.