Paytm has launched biometric authentication for Unified Payments Interface (UPI) and cardless Automated Teller Machine (ATM) withdrawals on April 20, 2026. This security upgrade aligns with the Reserve Bank of India (RBI) mandate for robust Two-Factor Authentication (2FA) in digital transactions. By replacing or supplementing traditional PINs, the move aims to reduce payment frauds and enhance user convenience across India’s digital ecosystem.
Biometric Authentication for Secure UPI Payments
The new biometric feature allows users to verify UPI transactions using Face ID or fingerprint recognition directly on their smartphones. This method serves as an alternative to the manual entry of a UPI PIN, providing a faster and more secure checkout experience. According to the guidelines set by the National Payments Corporation of India (NPCI), these biometric-verified payments are initially capped at ₹5,000 per transaction.
Paytm has clarified that biometric data is not stored on its platform or bank servers. Instead, authentication occurs through the secure hardware of the user’s mobile device, ensuring high levels of privacy. This “something you are” factor significantly improves security over static PINs, which are vulnerable to shoulder surfing and phishing attacks.
Cardless ATM Withdrawals via UPI QR Codes
Paytm’s cardless ATM withdrawal feature enables users to withdraw cash by simply scanning a QR code on the ATM screen using the Paytm app. This service utilizes the Interoperable Cardless Cash Withdrawal (ICCW) technology, which has been encouraged by the RBI to minimize incidents of card skimming and cloning.
Under the current NPCI regulations, cardless withdrawals are capped at ₹10,000 per transaction. Once the QR code is scanned, users must authenticate the transaction on their mobile devices using either their UPI PIN or the newly introduced biometric verification. This seamless integration ensures that even cash withdrawals are protected by the same high-security standards as digital transfers.
Understanding the RBI Two-Factor Authentication Mandate
The introduction of biometric features is a direct response to the RBI’s Master Direction on Digital Payment Security Controls, which mandates Two-Factor Authentication (2FA) for all digital payments. As of April 1, 2026, the RBI requires that at least two of the following three types of factors be used for transaction verification:
- Knowledge Factor: Something the user knows, such as a password or PIN.
- Possession Factor: Something the user has, such as a smart device or SIM card.
- Inherence Factor: Something the user is, such as a fingerprint or facial features.
By integrating inherence factors (biometrics) with possession factors (the mobile device), Paytm ensures compliance with these stringent security standards. This multi-layered approach is designed to keep pace with the evolving nature of cyber threats in the financial sector.
The Role of NPCI in UPI Innovations
The National Payments Corporation of India (NPCI), an initiative of the Reserve Bank of India and the Indian Banks’ Association (IBA), plays a pivotal role in setting the technology standards for UPI. By issuing guidelines for biometric caps and interoperable cardless withdrawals, the NPCI ensures that innovations are balanced with risk management.
Established in 2008 under the Payment and Settlement Systems Act, 2007, the NPCI is headquartered in Mumbai. It has been instrumental in making India a global leader in real-time digital payments. The current limit of ₹5,000 for biometric payments is a precautionary measure to monitor user adoption and system stability before potentially expanding the limits in the future.
Strengthening Trust in Digital Banking
The adoption of biometric and cardless technologies addresses several “pain points” in the Indian digital payment landscape. Traditional debit cards are susceptible to theft, skimming, and cloning, while static PINs are often forgotten or shared, leading to security breaches. By shifting the verification process to the user’s smartphone, digital wallets like Paytm provide a layer of physical security that is difficult to replicate.
Furthermore, cardless ATM withdrawals reduce the reliance on physical hardware, potentially lowering maintenance costs for banks and increasing the lifespan of ATM machines. For the average user, this translates to a more fluid experience where cash can be accessed without carrying a wallet, provided they have their authenticated mobile device.
Key Takeaways
- Paytm launched biometric authentication for UPI and cardless ATM withdrawals on April 20, 2026.
- The new features align with the RBI’s Master Direction on Digital Payment Security Controls for Two-Factor Authentication (2FA).
- Biometric-verified UPI payments are capped at ₹5,000 per transaction as per NPCI guidelines.
- Cardless ATM withdrawals via QR code scanning have a maximum limit of ₹10,000 per transaction.
- The NPCI was established in 2008 and is headquartered in Mumbai.
- Technical authentication for biometrics occurs on-device to ensure user privacy and data security.
