[ignoramous]

In that case, you could provide the user with a on-device one-click authenticate button (via notification/email, reminding her/him to approve the payment) that'd push the credentials out to your phantom-js instance. I am not sure what RBI complaince mandates, but one might be a strongbox.io away from implementing such a scheme server-side as well, if legal. A lot of care must go into securing such systems, no doubt. And there might be simpler alternatives that I simply cannot think of.

[shk]

Just like cvv, we are not allowed to store the static passwords.

[ignoramous]

Well, you don't really store the passwords on your servers, but rather store it on user's own devices (in a keystore, for instance). The user then agrees to push the credentials to your servers periodically instead of typing the password to authorize the payment.