The Reserve Bank of India has introduced updated guidelines requiring Payment Aggregators to obtain authorisation, meet net worth norms, maintain escrow accounts, conduct merchant due diligence, and ensure robust IT security. Payment Gateways are encouraged to adopt security standards voluntarily..
The Reserve Bank of India (RBI) has issued comprehensive regulatory guidelines for Payment Aggregators (PAs) and baseline security standards for Payment Gateways (PGs) to strengthen safety, transparency, and resilience in India’s digital payments ecosystem.
Under the framework, non-bank PAs must secure authorisation from the RBI under the Payment and Settlement Systems Act, 2007. Eligible entities must be incorporated in India and maintain a minimum net worth of ₹15 crore at the time of application, rising to ₹25 crore by the end of the third financial year, and sustained thereafter.
Existing players can continue operating until their applications are processed, while banks providing PA services as part of regular operations are exempt from separate approval. To ensure accountability, PAs must be professionally managed, with promoters and directors meeting “fit and proper” criteria. Any acquisition or change in management requires notification to RBI within 15 days. Agreements between PAs, merchants, and acquiring banks must clearly outline roles on dispute resolution, refunds, and grievance redressal. Each PA must appoint a nodal officer for compliance and grievance handling.
Merchant due diligence is mandatory, including background checks to prevent fraud, counterfeit sales, or prohibited products. Merchants must also comply with Payment Card Industry Data Security Standards (PCI-DSS). Customer funds must be routed through an escrow account with a scheduled commercial bank, and PA operations must be ring-fenced from other businesses to ensure transparency and timely settlements. Refunds are to be processed to the original payment method unless the customer opts otherwise. Importantly, neither PAs nor merchants are permitted to store customer card credentials. The guidelines stress robust risk management, IT security, and cyber resilience. PAs are required to conduct annual security audits via CERT-In empanelled auditors and report cyber incidents immediately to RBI and CERT-In.
As per the notification “Guidelines on Regulation of Payment Aggregators and Payment Gateways,” the RBI stated that Payment Aggregators (PAs), which manage customer funds, will be subject to direct regulation, while Payment Gateways (PGs), categorized as technology providers, are encouraged to voluntarily adopt the prescribed security recommendations.
You must be logged in to post a comment.
Stay ahead in the dynamic world of trade and commerce with India Business & Trade's weekly newsletter.