One way to do that would be to monitor SMSes for 2FA codes. This can be easily done on Android and iOS. The app can run the payments flow in a phanthomjs esque environment and read off 2FA values from the SMS inbox, and bam! Payment done. Also, there are other options for authorizing recurring payments but at fixed amt, and paper work can't be avoided.
In that case, you could provide the user with a on-device one-click authenticate button (via notification/email, reminding her/him to approve the payment) that'd push the credentials out to your phantom-js instance. I am not sure what RBI complaince mandates, but one might be a strongbox.io away from implementing such a scheme server-side as well, if legal. A lot of care must go into securing such systems, no doubt. And there might be simpler alternatives that I simply cannot think of.
Well, you don't really store the passwords on your servers, but rather store it on user's own devices (in a keystore, for instance). The user then agrees to push the credentials to your servers periodically instead of typing the password to authorize the payment.