On 17th Match’20 RBI circulated a new guideline for the Regulation of Payment Aggregators and Payment Gateways that mandated the entities to get authorization from RBI, for obtaining the settlement of payment to the merchant at fixed transaction time. Under the issued 'Guidelines on Regulation of Payment Aggregators and Payment Gateways' (the "Guidelines"), the RBI has decided to (a) regulate, in entirety, the activities of payment aggregators; and (b) provide baseline technology-related recommendations to payment gateways. These guidelines aimed at serving and assisting payment aggregators in having a baseline technology related to payment gateways.
From now, the Payment Aggregators and Payment Gateways will be regulated by RBI to ensure the safety of all online transactions. The Key aspects of the guidelines are as follows:
As a CERT-IN empanelled body, QRC offers the Information Security (IS) audit service specifically addressing the RBI requirements towards Information System (IS) Audits. To ensure compliance with the RBI Audit guidelines, our process incorporates the scoping guidelines from the Reserve Bank of India. Our approach for RBI Payment Aggregators & Payment Gateway Audit is as follows:
We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow in the aggregator environment.
Post scope definition as per the prescribed guideline and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help our clients in identifying all the storage locations which comprise of any payment related data. QRC personnel will thoroughly evaluate all the necessary controls determining whether the entity meets the baseline requirement as stated in the guideline.
As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the RBI directive on the baseline technology requirement and the security controls.
Report & Confirmation Letter
Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all assets defined as per the scope meet the prescribed guidelines.
Having your organization undergo as per the RBI Payment Aggregators & Payment Gateway Audit provide many benefits as described below:
Strengthen security posture:
The activities performed by the Payment Aggregators and Payment Gateways while making online transactions are very crucial, fixing all the vulnerabilities present.
Assessment as per improved security methods:
Earlier guidelines for Payment Aggregators and Payment Gateways are not sufficient and hence to ensure customer security and privacy, RBI put forth these guidelines with improved security methods.
Improved RBI regulatory control:
The primary business of Payment Aggregators and Payment Gateways have not come in the regulation of ambit of RBI. Therefore, separation of these entities is required while maintaining the proper regulations.
The customer may not have full access to the Payment Aggregators and Payment Gateways, they have to stay on merchant and banks. This will also resolve this and provide a proper resolution.
Detailed Roles and Liabilities:
There is the need for proper delineation of roles and responsibility among the merchants and the customer, by these guidelines the Payment Aggregators and Payment Gateways must handle the customer data in a more secure way.
Revised Technology deployment:
Technology may vary from entities and architecture and the updated technology for Payment Aggregators and Payment Gateways assists the customers and enhances their experience