Razorpay, in partnership with Yes Bank, has recently launched a biometric-card-authentication system for online card payments, so that instead of entering a PIN/OTP, you can authenticate e-commerce purchases via fingerprint or face ID.
On October 6, 2025, Razorpay, in partnership with YES BANK, launched India’s first RBI-compliant biometric card authentication solution, Razorpay ACS.
The new platform enables online card payments to be securely authenticated using fingerprint or facial recognition, eliminating the need for traditional OTPs that add time and effort to every transaction, often being delayed or failing due to network issues.
Designed to enhance security, reduce transaction drop-offs, and improve checkout success rates, Razorpay ACS marks a major step forward in India’s digital payments ecosystem, setting a new standard for frictionless and compliant online card transactions.
Razorpay ACS: What It Is and How It Works
Razorpay ACS (Access Control Server) is a biometric-enabled card authentication solution launched in partnership with Yes Bank. Instead of the traditional SMS-OTP or PIN step for online card checkouts, ACS lets customers authenticate a card payment using device biometrics (fingerprint or Face ID) or other strong auth methods.
At checkout, the merchant requests card issuer authentication. Following this, the ACS triggers a device-level passkey/biometric prompt, which the user confirms with fingerprint or face scan. The ACS then returns a positive authentication to the issuer/merchant and the payment proceeds.
The biometric template and the cryptographic verification happen on the user’s device or in a secure tokenized flow. Razorpay’s implementation is designed to be RBI-compliant and to replace fragile SMS OTPs, which can increase drop-offs by up to 20%–30% in mobile commerce, with a smoother, stronger flow.
How Unique Is This Solution For The Indian Market?
Razorpay’s ACS is widely described as India’s first RBI-compliant biometric card authentication for online card checkouts. Globally, device biometrics and wallets have existed for some time, but packaging a regulator-aligned ACS that specifically replaces OTPs for card-based online checkouts, integrated with domestic banks and the local regulatory framework, is relatively novel in India.
India has one of the world’s most advanced biometric systems (Aadhar). Over 1.4 billion Indians are enrolled with fingerprint and iris scans, creating widespread familiarity with biometric authentication. Moreover, India has over 850 million smartphone users, many of whom are using budget devices with fingerprint sensors. The combination of RBI guidance pushing stronger authentication, deep mobile biometric penetration in India, and an ACS product tuned to local issuer/acquirer integrations gives Razorpay a genuine first-mover advantage domestically.
Technologies That Enable the Solution
Among the solution enablers, we can list:
- Device biometrics & passkeys (TouchID / FaceID / WebAuthn passkeys): enable user verification without server-side biometric storage.
- ACS / 3-D Secure integration: ties the biometric auth to the card scheme and issuer decisioning flow.
- Tokenization & secure elements: prevent exposure of PANs and ensure cryptographic assertions are used in place of OTPs.
- Real-time risk engines: to decide when to prompt biometrics vs. allow frictionless flows and to detect anomalies.
- Standards (WebAuthn / FIDO2 / EMV3-DS): provide interoperable, secure methods for passkey/biometric assertions in browsers and apps.
Practical Use Cases
What does this solution bring in practice? To begin with, mobile shoppers can confirm card payments with fingerprint or FaceID, reducing OTP failures and drop-offs. At the same time, online purchases that would otherwise require additional authorization measures (e.g., high-ticket items, travel bookings) can be approved quickly and securely. Moreover, issuers can require biometric ACS for suspicious transactions, lowering fraud and chargebacks while preserving UX for normal transactions.
Analogous Global Solutions
Globally, several various solutions are leveraging biometric authentication to improve payment security and user experience. For example, Mastercard Payment Passkeys, that was piloted in India, and Visa passkey pilots allow users to approve payments using device-based biometrics instead of traditional OTPs.
Similarly, Apple Pay and Google Wallet use built-in device biometrics to authorize tokenized card payments, a method that has been shown to increase mobile conversion rates.
On the hardware side, biometric card vendors such as Zwipe, IDEX, and IDEMIA are developing cards with on-card fingerprint sensors for in-store transactions and are beginning to explore ways to link these on-card authentication events to online payment flows through issuer integrations.
Biometric Cards: How Acs-Like Solutions Can Pave The Way For Their Online Integration
Biometric payment cards contain a fingerprint sensor and perform match-on-card authentication: the fingerprint template never leaves the card, and the card only “unlocks” for payments when the match succeeds. Today, biometric cards mainly accelerate and secure in-store contactless payments. To extend that trust into online card authentication, you need a way to convey the card’s successful biometric event to the issuer and merchant during remote checkout. That’s exactly where ACS and 3-D Secure integrations matter.
An ACS (or passkey/issuer risk stack) can accept a cryptographic attestation, for example, a token from the card or a secure device asserting that a biometric match occurred, and use that as the second authentication factor for 3-D Secure. In practice that means:
- the card or companion device emits a signed assertion after a match;
- the ACS validates the assertion and signals the issuer;
- the issuer treats it as strong customer authentication, avoiding OTPs.
So, Razorpay-style ACS deployments create the necessary infrastructure and legal/regulatory precedent for issuers to accept non-OTP biometric attestations. As biometric cards scale, ACS and passkey ecosystems will be the glue that lets those on-card match events meaningfully and securely replace OTPs in e-commerce, delivering both better UX and stronger fraud resistance.
