New Delhi: India is tightening the security backbone of its quick response (QR) code-based payments, eyeing a wider global footprint for its united payments interface (UPI). Towards this, the Bureau of Indian Standards (BIS) has unveiled new norms to cover biometric authentication, QR-code payments and digital currency security, said two officials in the know. The aim is to curb fraud, set common standards for banks and fintechs, and build trust in markets where such systems are still nascent.
India processed over 218 billion digital payment transactions worth ₹284.7 trillion through QR scans and biometric authentication between April and February of FY26, according to finance ministry data. Amid this popularity surge, regulators are seeking a structured security framework to guide banks, fintechs and payment service providers amid the rapid expansion.
India’s QR code-based payment system is already operational in Singapore, the UAE, France, Nepal, Bhutan, Sri Lanka and Mauritius, and is shortly expected to be launched in Japan.
According to the BIS order reviewed by Mint, one of the newly notified standards establishes a security framework for use of biometrics in financial services. “It lays down requirements for secure biometric authentication systems, including protection of biometric data, safeguards against spoofing or identity manipulation, secure storage and transmission of biometric information and protocols to ensure the integrity and reliability of authentication systems used by financial institutions,” said one of the officials, who did not wish to be identified.
Yet another standard focuses on security for code-scanning payment systems. Given the widespread use of QR code-based payments in India’s retail and small merchant ecosystem, the standard provides guidance on secure QR code generation, encryption practices, verification mechanisms and safeguards to prevent risks such as fake QR codes, payment redirection and unauthorized transaction processing.
Digital currency security
The BIS has also notified new standards to deal with security aspects related to digital currency. It outlines security considerations for digital currency infrastructure, including cryptographic safeguards, transaction validation processes, system resilience against cyber threats and risk management systems for digital currency platforms.
India’s pilot central bank digital currency (CBDC) project has recorded over 120 million transactions, with their cumulative value crossing ₹280 billion, according to Reserve Bank of India data.
“The ministry of consumer affairs, which is the issuing authority, believes that once these new standards are adopted by financial institutions, UPI (unified payment interface) payments will become more secure and help check fraud. The standards will also make the Indian UPI payment system globally acceptable,” said the second official.
Queries emailed to BIS spokespersons on 3 April and the National Payments Corporation of India that operates UPI, and to the home ministry on 8 April remained unanswered till press time.
Experts said stiffer norms for QR-based payments will boost system security as well as India's global standing in the space.
“With UPI accounting for nearly half of global real-time transactions, India is emerging as a rule-maker, exporting scalable digital public infrastructure to the world. This enables seamless cross border payments, lowers remittance costs, and improves financial inclusion while giving businesses easier access to global markets and credit,” said Dipal Dutta, chief executive at RedoQ that bridges traditional IT services with fintech.
“At the same time, India Stack is becoming a strategic soft power tool, offering an open and inclusive alternative for countries building their digital infrastructure," Dutta added.