RBI PA & PG Audit

RBI Payment Aggregators & Gateway Audit

On 17th Match’20 RBI circulated a new guideline for the Regulation of Payment Aggregators and Payment Gateways that mandated the entities to get authorization from RBI, for obtaining the settlement of payment to the merchant at fixed transaction time. Under the issued 'Guidelines on Regulation of Payment Aggregators and Payment Gateways' (the "Guidelines"), the RBI has decided to (a) regulate, in entirety, the activities of payment aggregators; and (b) provide baseline technology-related recommendations to payment gateways. These guidelines aimed at serving and assisting payment aggregators in having a baseline technology related to payment gateways.

From now, the Payment Aggregators and Payment Gateways will be regulated by RBI to ensure the safety of all online transactions. The Key aspects of the guidelines are as follows:

  • The Payment Aggregators required baseline technology, which includes the implementation of Data Security standards, Cybersecurity audits, incident reporting, and framing IT policies.
  • Payment Aggregators have clear policies while on-boarding the merchant, privacy policy, Customer Grievances, etc. and follow the provisions set by Prevention of Money Laundering ACT 2002.
  • E-commerce organizations with a Payment Aggregators business, need to take the authorized license and must segregate Payment Aggregators into the separate entity.
  • A non-bank Payment Aggregators must be a complete company incorporated under the Act of the organization with the PA activity forming a party.
  • In case of any takeover or acquisition of control or any change in upper management of non-bank Payment, Aggregators must communicate with the Chief General Manager of RBI within 15 days of the change.
  • The RBI also gives the format of authorization which includes net-worth certificate director's undertaking, auditor certificate while maintaining the balance on an escrow account, and a format for storing the data of transactions handled by Payment Aggregators every month.
  • Non-Banks Payment Aggregators will have the minimum net worth of Rs 15 Crore which also varies up to INR 25 crore by the end of the financial year.

As a CERT-IN empanelled body, QRC offers the Information Security (IS) audit service specifically addressing the RBI requirements towards Information System (IS) Audits. To ensure compliance with the RBI Audit guidelines, our process incorporates the scoping guidelines from the Reserve Bank of India. Our approach for RBI Payment Aggregators & Payment Gateway Audit is as follows:

We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow in the aggregator environment.

Audit Process

Post scope definition as per the prescribed guideline and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help our clients in identifying all the storage locations which comprise of any payment related data. QRC personnel will thoroughly evaluate all the necessary controls determining whether the entity meets the baseline requirement as stated in the guideline.


As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the RBI directive on the baseline technology requirement and the security controls.

Report & Confirmation Letter

Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all assets defined as per the scope meet the prescribed guidelines.

Having your organization undergo as per the RBI Payment Aggregators & Payment Gateway Audit provide many benefits as described below:

Strengthen security posture:

The activities performed by the Payment Aggregators and Payment Gateways while making online transactions are very crucial, fixing all the vulnerabilities present.

Assessment as per improved security methods:

Earlier guidelines for Payment Aggregators and Payment Gateways are not sufficient and hence to ensure customer security and privacy, RBI put forth these guidelines with improved security methods.

Improved RBI regulatory control:

The primary business of Payment Aggregators and Payment Gateways have not come in the regulation of ambit of RBI. Therefore, separation of these entities is required while maintaining the proper regulations.

Customer Transparency:

The customer may not have full access to the Payment Aggregators and Payment Gateways, they have to stay on merchant and banks. This will also resolve this and provide a proper resolution.

Detailed Roles and Liabilities:

There is the need for proper delineation of roles and responsibility among the merchants and the customer, by these guidelines the Payment Aggregators and Payment Gateways must handle the customer data in a more secure way.

Revised Technology deployment:

Technology may vary from entities and architecture and the updated technology for Payment Aggregators and Payment Gateways assists the customers and enhances their experience

Get Free Consultation