India’s appetite for credit cards and digital payments has exploded — by 2024 there were more than 75 million active credit cards in circulation, and contactless transactions grew over 76% during 2024–25.
But with this rapid expansion came growing complaints about hidden charges, fraudulent transactions, and delays in dispute resolution.
To make the system safer and more transparent, the Reserve Bank of India (RBI) rolled out a set of reforms in October 2025, commonly known as the RBI Credit Card Rules 2025.
This guide breaks down every major change, explains why these reforms were needed, and shows how they affect both consumers and businesses.
Why the RBI Credit Card Rules 2025 Were Introduced
RBI’s latest rules respond to multiple challenges faced by the fast-evolving digital payments ecosystem:
1. Surging Digital Payments
Contactless tap-to-pay transactions have become mainstream, but they’ve also raised concerns about fraud.
While RBI reports that disputed transactions represent less than 0.02% of contactless payments, it insists on real-time alerts and risk-based authentication for added security.
2. Consumer Complaints
Many users reported inconsistent billing practices and hidden charges. RBI now mandates that banks send detailed transaction breakdowns within 24 hours of purchase.
3. Financial Inclusion
The new rules require inclusive banking access for persons with disabilities (PwDs).
Under the revised KYC guidelines, banks cannot reject KYC applications without written reasons and must provide accessible authentication methods.
Stricter KYC Guidelines under RBI’s 2025 Update
RBI has significantly tightened Know Your Customer (KYC) procedures.
| Key Change | Description | Effective From |
|---|---|---|
| Re-verification every 3 years | Banks must re-verify customer KYC data every 3 years (earlier: 10 years). Failure to update can result in temporary suspension. | 15 Oct 2025 |
| Expanded mandatory KYC | Any transaction (single or cumulative) of ₹50,000+ now requires verified KYC. Applies to international transfers as well. | Oct 2025 |
| Inclusive authentication | Aadhaar Face Authentication is now valid. Officers must record reasons for KYC rejection, ensuring accessibility for PwDs. | Immediate |
These reforms align India with global anti-money-laundering standards and make digital onboarding safer.
New Credit Card Safety Rules Explained
The RBI Credit Card Rules 2025 introduce stronger safety controls and customer-friendly features:
| Category | Key Requirements | Relevant Timeline |
|---|---|---|
| RBI contactless rules | Tap-to-Pay disabled by default. Transaction cap: ₹5,000 per PIN-free payment. Cards unused for 12 months are auto-deactivated for online/international use. | From Oct 2025 |
| Real-time alerts & dispute resolution | Mandatory SMS/email alerts for every transaction. Refunds for failed or unauthorised payments must be processed within 48 hours. ₹100/day penalty if delayed. | Full compliance by 31 Dec 2025 |
| Auto-debit mandate rules | Pre-debit notification 24 hours before execution. Customers can approve, modify, or cancel via app or UPI. | Oct 2025 |
| Interest & billing transparency | Banks must show the effective annual interest rate (EIR) on cards and loans, with detailed breakdowns of EMIs and charges. | Immediate |
| Enhanced digital security | Biometric verification (fingerprint/face) for high-value transactions ₹50,000+. Banks must add “panic-stop” feature and AI-based fraud detection. | By 31 Dec 2025 |
These safety rules empower cardholders to control access and reduce unauthorised use.
Two-Factor and Risk-Based Authentication (2FA) – Effective 2026
RBI’s Authentication Mechanisms for Digital Payment Transactions Directions, 2025 bring in the next wave of payment security.
- Mandatory Two-Factor Authentication (2FA):
From 1 April 2026, all digital payments must use at least two authentication factors, one of which must be dynamic (like an OTP or token). - Risk-Based Checks:
Banks must analyse user behaviour — location, device, and transaction history — and request extra verification for high-risk transactions. - Exemptions:
Small-value contactless payments and certain recurring auto-debits are exempt from 2FA. - International Transactions:
From 1 October 2026, cross-border card payments must include additional authentication layers.
If a bank fails to meet these authentication requirements and the customer loses money, the issuer is fully liable.
UPI Credit Card and UPI Limit Changes
RBI’s 2025 rules also sync with NPCI’s UPI updates, reshaping how credit cards and UPI function together.
New UPI Rules (Effective August 2025)
| Update | Summary |
|---|---|
| Daily caps | Max 50 balance checks/day and 25 linked-account views/day. |
| Recurring payments | Processed only during non-peak hours (before 10 AM, 1–5 PM, after 9:30 PM). |
| Cooling period for status checks | 45–60 seconds delay before retrying failed payment status requests. |
| Inactive UPI IDs | Disabled if linked mobile number inactive for 12+ months. |
| Faster APIs | Response time cut from 30 seconds to 10 seconds. |
| UPI via credit line (UPI credit card) | From 31 Aug 2025, users can make UPI payments using a pre-approved credit line from banks or NBFCs. |
Compliance deadline: 31 July 2025, failing which payment providers face penalties or API restrictions.
UPI-Specific Limits in the RBI Credit Card Rules 2025
- Two-factor authentication: Required for all UPI payments over ₹1 lakh/day.
- Cross-border UPI cap: ₹50,000 per transaction; only registered international merchants may accept such payments.
- RuPay Credit Card Linking: All banks must support default linking of RuPay credit cards to UPI apps.
These updates merge the convenience of UPI with the power of credit, promoting safer, more flexible digital spending.
Impact of RBI Credit Card Rules 2025
For Consumers
- Stay current on KYC: Update details promptly to avoid account suspension.
- Enable Tap-to-Pay only when needed: Disabled by default for safety.
- Monitor alerts: Use real-time SMS/email updates and the “panic-stop” option.
- Check pre-debit notifications: Modify or cancel unwanted auto-debits easily.
- Understand UPI credit lines: New UPI-linked credit works like an overdraft — repay on time to avoid high interest.
For Businesses and Financial Institutions
- Upgrade systems for dynamic 2FA and biometric authentication.
- Maintain KYC inclusivity records and train staff to handle PwD authentication.
- Publish effective annual rates (EIR) and fee breakdowns clearly.
- Implement NPCI UPI rules and register for cross-border UPI.
- Adopt AI-based fraud detection and real-time monitoring tools.
Conclusion
The RBI Credit Card Rules 2025 mark a turning point in India’s digital finance landscape.
By tightening KYC norms, capping contactless payments, mandating two-factor authentication, and introducing the UPI credit card, RBI aims to make India’s payment ecosystem more secure, inclusive, and transparent.
For consumers, the message is clear — stay informed, stay updated, and stay safe.
For banks and fintechs, it’s time to invest in smarter compliance and risk management systems.
Together, these reforms pave the way for a stronger and safer digital economy.
FAQs on RBI Credit Card Rules 2025
What are the RBI’s new credit card rules for 2025?
They include stricter KYC re-verification every 3 years, contactless transaction limits, real-time alerts, and 2FA for digital payments.
When do these new rules come into effect?
Most took effect from October 2025, while 2FA implementation begins April 2026.
What is the UPI credit card introduced by RBI?
It allows users to make UPI payments via a credit line — similar to an overdraft — from 31 August 2025.
How will these rules affect customers?
They improve security, transparency, and accessibility, ensuring faster refunds and fewer hidden charges.
What happens if banks delay refunds for failed transactions?
Banks must refund within 48 hours or pay a ₹100 per-day penalty to customers.
