RBI 2FA Mandate 2026: Payment Gateway Compliance Checklist for Razorpay, Cashfree, PayU & Stripe

The RBI's Authentication Mechanisms for Digital Payment Transactions Directions, 2025 (effective 1 April 2026) shifted full liability for fraudulent transactions to the issuer if 2FA isn't in place. For Indian businesses accepting online payments, this changes one thing operationally — you need written 2FA compliance confirmation from your payment aggregator — and two things commercially: checkout abandonment may rise 3-6 percentage points on first measurement, and bulk-payment APIs that authenticate with a single token are now non-compliant. This guide gives you a PSP-by-PSP checklist for Razorpay, Cashfree, PayU, Stripe India, Easebuzz, and Instamojo, plus an ERP-side audit for SAP, Tally Prime, Zoho Books, and Vyapar bulk payment integrations.

What the 2FA Mandate Actually Requires

The Directions categorise authentication into three "factors of identity":

• Knowledge — something you know (PIN, password, secret phrase).
• Possession — something you have (registered device, hardware token, SIM-bound mobile).
• Inherence — something you are (fingerprint, face, voice biometric).

A compliant transaction must use at least two factors from two different categories. OTP is a knowledge factor; it cannot count as two factors. Card + OTP, device + PIN, biometric + OTP — all valid. Card + OTP + CVV is still one knowledge category — not enough on its own anymore. One of the two factors must be uniquely generated per transaction (rules out reusable PINs as the only token).

Risk-based authentication: the silent change

The Directions allow issuers to apply risk-based authentication: unusual device, new IP geolocation, or anomalous amount triggers additional verification on top of the standard 2FA. For merchants, this means a small percentage of customers will see extra steps mid-checkouton their first transaction with a new device — even though your gateway is configured correctly. Plan customer-service messaging around this. The number to brief CX on: roughly 3-6% of first-time- device transactions trigger an additional step in the first six months of the framework.

PSP-by-PSP Compliance Checklist

Don't assume compliance. Get it in writing — on your PSP's letterhead, addressed to your business — before the next quarterly settlement closes. Here's what to ask each major Indian aggregator.

1. Razorpay

Razorpay is RBI-authorised as a Payment Aggregator and holds PCI DSS Level 1 certification. Built-in tokenisation, automated merchant KYC under the 2025 Master Directions, and AFA-compliant checkout flows are part of their default stack.

2. Cashfree Payments

Cashfree is RBI-authorised, PCI DSS Level 1 certified. Strong on bulk payouts and fast settlement — Instant Settlement product credits funds within minutes. Cashfree Recurring handles e-mandates with AFA registration and 24-hour pre-debit alerts.

3. PayU India

PayU is RBI-authorised PA. Known for strong fraud-prevention (PayU Hermes) and enterprise scale. Confirm:

• PayU Biz checkout uses 2FA on all card-not-present transactions.
• PayU Money recurring mandates use AFA at registration + 24-hour alerts.
• Fraud-screening (Hermes) is layered, not replacing 2FA.
• Refund and chargeback flow conforms to RBI's revised digital-fraud compensation framework (April 2026).

4. Stripe India

Stripe operates in India through PA licence. Particularly relevant for B2B SaaS and cross-border SaaS billing. Confirm:

• Stripe Payments uses 3D Secure 2 (3DS2) for card 2FA — globally compliant and AFA-equivalent.
• Stripe Billing recurring debits comply with the E-mandate Framework 2026.
• Cross-border CNP transactions are 2FA-compliant before the 1 October 2026 deadline.
• BIN registration with international networks (Visa, Mastercard, Amex) is current.

5. Easebuzz and Instamojo (SMB-focused)

For smaller merchants and direct-to-consumer brands, Easebuzz and Instamojo are common choices. Both are RBI-authorised PAs. The compliance bar is the same — but smaller PSPs may have slower product-update cycles, so verify:

• Standard checkout 2FA flow is live on all channels (not "coming soon").
• Recurring/subscription products are E-mandate Framework 2026 compliant.
• Settlement reports include the AFA verification status per transaction (for audit trail).

6. Paytm — migrate immediately

On 24 April 2026, the RBI cancelled Paytm Payments Bank Limited's banking licence under Section 22(4) of the Banking Regulation Act for persistent compliance failures. Consumer-facing apps and merchant QRs continue via partner banks, but settlement infrastructure is disrupted and partner- bank coverage is uneven. Merchants currently routing through Paytm rails should migrate to an alternative PA before the next settlement cycle. Maintain dual rails until confidence is restored.

The PSP Confirmation Letter: What to Demand

Send your aggregator's account manager an email requesting written confirmation of the following. Copy your CFO and the head of finance. Get it on letterhead, dated post-April 2026.

Checkout Abandonment: What to Expect and How to Measure

Pre-April 2026, Indian e-commerce cart abandonment averaged 65-75% with payment-step drop-off contributing 15-25% of that. The 2FA mandate adds a second authentication step on some transactions — particularly first-device transactions and amounts that trigger risk-based extra verification.

To measure properly: capture checkout funnel events in GA4 (or your analytics tool) at three steps — payment-method-selected, authentication-prompt-shown, payment-success. The middle step is new. Comparing pre- and post-April cohorts on this funnel quantifies the AFA-friction cost.

UX patterns that reduce 2FA drop-off

1. Default to UPI for amounts under ₹1 lakh. UPI's PIN-plus-device 2FA is faster than card OTP. UPI checkout conversion in India typically beats card by 8-15 percentage points.
2. Tokenise cards via your PSP's token vault. Tokenised cards skip the CVV re-entry on returning purchases and use device-bound authentication — fewer false-positive risk triggers.
3. Show the bank's 2FA prompt inline if your PSP supports it. The pop-up-redirect- return pattern loses customers; the modal-overlay pattern keeps them in the funnel.
4. Communicate the extra step — a one-line "Your bank will ask to confirm; this is normal" reduces panic abandonment on first-encountering customers.
5. Don't force 3DS2 on low-risk transactions — if your PSP supports merchant-initiated risk scoring, low-risk transactions can be exempted from the second factor (frictionless flow under 3DS2).

Bulk Payment APIs: The Hidden Compliance Failure

The 2FA mandate covers customer-initiated digital payment transactions. For B2B bulk payouts — vendor payments, salary disbursement, refunds, marketplace seller settlements — the framework is interpreted by RBI to require AFA at the transaction initiation point, not just at user login. Single-token batch authentication, where one OTP authorises a batch of 500 payments, is non-compliant from April 2026.

ERP-to-bank integration: what to audit

Treasury maker-checker is the cheapest fix: one person prepares the batch in the ERP, a second person logs into the bank's corporate portal with their own AFA, reviews the batch summary, and releases it. This adds 5-10 minutes per batch but converts a non-compliant flow into a fully auditable one. Most enterprise CFOs adopt this even when not strictly required.

Liability Math: Who Pays When 2FA Fails

The Directions assign liability based on the failure mode:

• Issuer (bank/PSP) didn't implement 2FA properly — issuer absorbs the fraud loss and is statutorily required to compensate the customer.
• Customer disclosed credentials (phishing, social engineering) — RBI's revised digital-fraud compensation framework limits customer liability if the customer reports within the prescribed window (typically 3 working days for zero liability, 4-7 days for limited liability).
• Merchant systems compromised — merchant absorbs the chargeback (and faces potential PCI DSS non-compliance penalties). This is why PCI DSS v4.0.1 enforcement matters as much as 2FA itself.

For most merchants using a fully-managed PSP like Razorpay, Cashfree, or PayU, the PSP's PA licence makes them the issuer for compliance purposes — and the merchant escapes direct fraud liability. But the operational cost of failed transactions and customer-service overhead is still yours. The cleanest way to manage this is to choose a PSP whose merchant-side dashboard provides per-transaction AFA verification status as an audit-ready field.

The 30-Day Action Plan

1. Week 1. Email PSP account manager — request 2FA compliance confirmation letter. Run checkout funnel measurement in GA4 to establish baseline.
2. Week 2. Audit ERP-to-bank integration. Identify single-token batch flows. Brief treasury team on maker-checker requirement.
3. Week 3. Update checkout UX: default-to-UPI, inline 2FA prompt where supported, customer-facing copy on "your bank may ask to confirm".
4. Week 4. Reconcile baseline funnel data against first month under new framework. Identify highest drop-off step and prioritise the next intervention.

How Bizeract Can Help

• Payment gateway integration audit for your checkout — Razorpay, Cashfree, PayU, Stripe, Easebuzz, Instamojo configurations reviewed against the 2026 framework.
• Bulk-payout workflow upgrade — replace single-token batch flows with per-batch AFA + treasury maker-checker, integrated with Tally, Zoho, or Vyapar.
• Checkout funnel measurement setup in GA4/GTM with AFA-friction attribution.
• Migration support if you're currently on Paytm rails and need to move to an RBI-compliant alternative before next settlement cycle.

Frequently Asked Questions

Q: Is my Razorpay/Cashfree/PayU integration automatically 2FA-compliant?

The PSP's default Standard Checkout is generally compliant for cards, UPI, net-banking, wallets, and recurring mandates from April 2026 onwards. However, if you use Custom Checkout, server-side payment APIs, or integrations built before 2024, manual verification is required. Always request a written compliance confirmation letter from the PSP's account team.

Q: Does the 2FA mandate apply to my QR-code receipt at the counter?

Static merchant QR (P2M) transactions are typically authenticated by the payer's UPI PIN + device — already meeting the two-factor standard. Dynamic QR (per-transaction) with risk-based authentication is the cleaner pattern. Confirm with your PSP that QR transactions are flagged in their AFA verification logs.

Q: My checkout converts at 35%. Will the 2FA mandate drop me to 30%?

Possibly, but the headline number is misleading. The drop concentrates in specific cohorts (first-device, cross-border CNP, high-ticket recurring). Segment your funnel before optimising — blanket discount or trust-badge interventions waste budget. Measure per-cohort drop-off first, then apply targeted UX patterns.

Q: We pay 200 vendors every month via Tally + bank API. Are we compliant?

If the integration uses a single static API token that authorises the entire 200-vendor batch in one call, almost certainly not. Move to a flow where Tally generates the payment file but a designated maker/checker logs into the bank's corporate portal, reviews the file, and releases the batch with their own AFA. The audit trail is also cleaner.

Q: What about international card payments on my SaaS billing?

Cross-border CNP card transactions need 2FA from 1 October 2026 — a later deadline than domestic. Card issuers must register their BINs with international networks (Visa, Mastercard) for the new authentication flow to work. If you bill foreign customers via Stripe, Razorpay International, or similar, confirm 3DS2 is active on the cross-border rails and that BIN registration is up to date well before 1 October 2026.

Q: We use Paytm currently. What's the migration urgency?

High. RBI cancelled Paytm Payments Bank's licence on 24 April 2026. Consumer-facing apps continue via partner banks, but settlement infrastructure has been disrupted and partner-bank coverage is uneven. Migrate to Razorpay, Cashfree, PayU, or Stripe before your next settlement cycle. Maintain a dual-rail setup (Paytm + alternative) for 90 days while customer payment habits adjust.

Q: How often should we re-verify PSP compliance?

Quarterly. Get a fresh confirmation letter from the PSP at the start of each financial quarter, after any major PSP product update, and immediately after any regulatory change (new RBI direction, PCI DSS update). For listed companies, attach the confirmation to the quarterly compliance certificate.

The Bottom Line

The RBI 2FA mandate doesn't change much for merchants who use a well-managed Indian payment aggregator — Razorpay, Cashfree, PayU, Stripe India, Easebuzz, and Instamojo all handle the authentication burden in their default checkout. What changes is the documentation discipline (get the compliance letter), the funnel measurement (track AFA-induced drop-off cohort by cohort), and the bulk-payout workflow (replace single-token batches with per-batch AFA or treasury maker- checker). Do these three things before the next quarterly close and you're operating cleanly under the new framework. Skip them, and a single high-value chargeback or a treasury audit finding will cost more than the work would have.

Sources: RBI Authentication Mechanisms for Digital Payment Transactions Directions, 2025; RBI Master Directions for Payment Aggregators, 2025; RBI Digital Payments — E-mandate Framework, 2026; PCI DSS v4.0.1 (enforced 31 March 2025); RBI cancellation order on Paytm Payments Bank Limited (24 April 2026); industry coverage by Razorpay, Cashfree, PayU, Stripe India, and Chargebee on RBI compliance.