logo
 
     
   
 

Payment Aggregator and Payment Gateway Compliances

Payment Aggregators and Payment Gateways play a significant role in effecting a payment transaction. However for its smooth functioning, the entities engaged in providing the services of payment aggregator and payment gateway must comply with the various compliances as set out by the regulatory authority. Connect with TAP GLOBAL today to get the below mentioned assistance.

Package inclusions:
  • Payment aggregator and payment gateway compliances consultancy;
  • Complete assistance in meeting payment aggregator and payment gateway compliances;
  • Regular follow ups with the regulatory authority.
Income Tax Notice


Payment Aggregator and Payment Gateway Compliances- Brief Overview

Today online payment modes are increasingly used across the country. Digital transactions have witnessed special preference due to the convenience it offers. Due to this, there has been a steady rise in facilitation by banks and the prepaid payment instrument (PPI) issuers for the use of electronic modes for payments to merchants. This process generally involves the role of intermediaries such as payment aggregators and payment gateway service providers.

What do you mean by Payment Gateway and Payment Aggregator?

The terms Payment Aggregator and Payment Gateways are used interchangeably by some however, these two differ on the basis of their functions. Payment Aggregator does the process of merchant on-boarding and receives/collects funds from customers on behalf of the merchant in an escrow account. On the other hand, payment gateways refer to the entities that, through technology infrastructure, route and/or facilitate the processing of online payment transactions. Unlike payment aggregators, there isn't any actual handling of funds by the payment gateway. The payment aggregator serves as a front-end service, whereas the payment gateway serves as the back-end technology support. Both these services are not mutually exclusive, as there are certain payment aggregators who offer both.

There are various payment aggregator and payment gateway compliances that must be followed by entities. These have been elaborately explained below.

Various Compliances for Payment Aggregators

The payment aggregators need to ensure strict compliance with the following as per the RBI guidelines:

Background check of merchants

Payment Aggregators need to undertake KYC / AML / CFT compliance issued by Reserve Bank of India, in accordance with the Master Direction - Know Your Customer (KYC) Direction and compliance with provisions of PMLA and Rules.

As per the RBI Guidelines, payment aggregators need to conduct background and antecedent check of the merchants in order to ensure that merchants don't have any illegal intention of duping customers, or to sell fake/counterfeit/prohibited products, etc. The Guideline also provides an obligation on payment aggregators' to conduct checks on its merchants to verify whether appropriate terms and conditions have been uploaded on the merchant's website.

The guidelines further provide that the payment aggregators must check Payment Card Industry-Data Security Standard (PCI-DSS) as well as Payment Application-Data Security Standard (PA-DSS) compliance of the on-boarded merchant's infrastructure.

Grievance Redressal and Dispute Management

RBI guidelines mandates payment aggregators to put in place a formal and openly disclosed customer grievance redressal & dispute management mechanism.

A Payment Aggregator should appoint a nodal officer who will be required to handle customer complaints or grievances and the escalation matrix. Moreover, the dispute resolution mechanism would be binding on all the participants of the transactions.

Security and Risk Management Framework

The RBI guidelines mandate payment aggregators to put in place the following:

  • Adequate information and data security infrastructure to prevent and detect fraud;
  • Board approved security information policy;
  • Implementation of the information security policy for mitigation of risk;
  • A mechanism to monitor, handle and follow up cyber security incidents and breaches and reporting such incidents to DPSS, RBI Central Office Mumbai and shall also be reported to CERT-In;
  • Compliance with data storage requirements as applicable to Payment System Operators;
  • Submission of system audit report including cyber security audit done by the CERT-In empaneled auditors. Such audits must be conducted within 2 months of the close of their financial year to the respective regional office, DPSS, RBI.

Reporting Requirements

The RBI guidelines mandate payment aggregators to submit various reports on annual, quarterly and monthly basis.

Annual

 

Quarterly

Monthly

Non-Periodic

 

 

Audited Annual Report on Net Worth certified by a CA by September 30

 

To be filed by 15th of the month after the quarter-end:

 

1. Auditors' Certificate on Escrow Balance

 

2. Internally Audited Bankers' Certificate on Escrow Account Debits and Credits

 

3. Auditors' Certificate on Nodal Accounts, for Marketplaces

Customer Grievances Report

 

4. Cyber Security Audit Report

To be filed by 7th of the next month:

 

1. Statistics of Transactions Handled

 

 

2. Reports on Frauds Cyber Security Incident Reports, with root cause analysis and preventive action undertaken

 

One-Time Technical Audit; and whenever a major change is made to process flow

 

 

IS Audit Report and Cyber Security Audited Report with observations, corrective/preventive action planned and closure data, audited externally by May 31

 

 

 

 

Change in Board of Director, as and when happens

Unaudited and Self-Declared Net Worth Certificate as of September 30, by December 31

 

IT Related Compliances

The requirements for PA entities in respect of IT systems and security are as follows:

  • Information security governance
  1. Carry out comprehensive security risk assessment of their people, business process environment etc.
  2. Report on risk assessment, security compliance, security audit reports to be presented to the board;
  3. Internal security audit or annual security audit by an independent security auditor.
  • Data security standards

Implementation of best data security practices such as PCI-DSS, PA-DSS etc.

  • Security Incident Reporting

Reporting of security incidents/card holder data breach to the RBI. Submission of monthly cyber security incident reports with root cause analysis.

  • Merchant Onboarding

Undertake security assessment during the Merchant Onboarding.

  • Cyber Security Audits and Reports

Carry out and submit the following to the IT committee- quarterly internal audit and annual external audit reports, bi-annual Vulnerability Assessment / Penetration Test reports; PCI-DSS and Attestation of Compliance and ROC Compliance Report with Observations.

  • IT Governance Framework

Framing of IT policy with the framework containing enterprise information model, cyber crisis management plan, IT steering committee etc.

Various Compliances for Payment Gateway

The following compliances are applicable to Payment Gateways:

PCI-DSS Compliance

PCI-DSS Compliance includes the following:

  • Using and maintaining firewalls;
  • Password protection;
  • Cardholder data protection;
  • Encryption in data transmission;
  • Using and maintaining anti-virus;
  • Updating software timely;
  • Restricted data access;
  • Unique IDs for data access;
  • Restricted physical access of cardholder data;
  • Creating and maintaining access logs;
  • Scanning and testing for vulnerabilities;
  • Drafting of policies for access.

 IT Related Compliances

As per RBI guidelines, Indicative baseline technology related recommendations recommended for payment gateways such as Information Security Governance, Security Incident Reporting, Data Security Standards, Merchant Onboarding, Cyber Security Audit & Report, IT Governance framework, Risk Assessment, Cryptographic Requirements, Vendor Risk Management, etc. are similar to that of payment aggregators.

How does TAP GLOBAL Help?

TAP GLOBAL helps in the following manner:

  • Liaising with the regulatory authority;
  • Consultancy on Payment aggregator and payment gateway compliances;
  • Assistance in complying with reporting requirements;
  • Timely delivery of what we commit.

Frequently Asked Questions

Payment aggregators facilitate e-commerce sites and merchants to accept different payment instruments from the customers to complete their payment obligations. Merchants don't need to create their own separate payment integration system. On the other hand Payment Gateways are entities providing technological infrastructure to facilitate processing of online transaction.

Payment Aggregators can be cost-effective for Micro-transactions. Payment Gateways can access small businesses rapidly once they combine with Payment Aggregators. The Payment Aggregator model offers a platform for online transaction processing, with low or no start-up fees.

RBI guidelines mandates payment aggregators to put in place a formal and openly disclosed customer grievance redressal & dispute management mechanism.

The Payment Card Industry Data Security Standard or the PCI-DSS Compliance means meeting a set of requirements intended to ensure that companies that are processing, storing or transmitting credit card information maintain a secure environment.