VSCC Certificate (SBI)

VSCC Certificate (SBI) – Vendor Site Compliance Certificate

SBI formulated a compliance mandate for vendors to ensure appropriate security best practices and controls deployed on merchant websites that are integrated with their payment gateways. Any payment service provider or vendors that wants to integrate SBI payment service to their business gateway, needs to undergo Vendor security compliance, fulfilling all the withholding requirements. The Vendor Site Compliance Certificate (VSCC) can only be issued by CERT-In Empaneled Auditor. Though it is only required for private merchants, government clients and reputed educational institutes need to produce a self-certify Form C.

The key requirement/criteria/segment to be covered as per the Vendor Site Compliance Certificate (VSCC Form C) questionnaire are as follows:

  • SSL Certificate & Encryption
  • Application Security
  • Vulnerability Assessment & Penetration Testing
  • Firewall
  • Data Storage & Localization
  • Audit Trail & Logging
  • PCI DSS (if applicable)
  • Data Sharing & Privacy

The VSCC Form C must be filled, signed & certified by a CERT-IN empaneled auditor which can then be submitted to SBI as part of the merchant on-boarding process.

As a CERT-IN empaneled body, QRC provides the Vendor Site Compliance Certificate (VSCC) to any merchant/vendor that wants to integrate SBI payment services to their respective gateways/product.

To ensure compliance with the requirements of the Vendor Site Compliance, our audit process incorporates the scoping guidelines as per the SBI requirements. Our approach for VSCC Compliance is as follows:

Information Gathering & Documentation Review

We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow in the aggregator environment as per the VSCC form requirement

Audit Process

Post scope definition as per the requirements and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help vendors in identifying all the gaps in their current compliance posture. QRC personnel will thoroughly evaluate all the necessary controls determining where the vendor stands in their compliance journey.


As per the assessment, and the identification of the gaps, QRC will provide necessary remediation support for complying with the Vendor Site Compliance requirements, this helps our clients to significantly close all the gaps in their technology and process to meet the stated requirements.

Report & Certificate

Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the Certificate stating that all assets defined as per the scope meet the prescribed guidelines under the SBI requirements of Vendor Site Compliance Certificate

QRC significantly reduces efforts for organization in complying with the Vendor Site Compliance by helping them with a well-documented approach saving ample business resources. This helps vendors in their audit preparedness under the professional expertise.

  • Proactive perform security review, system configuration, access control, strengthening data and application security measures
  • Establishing strong security governance and help improve their cybersecurity posture, showcasing their security competence
  • Improve customer trust and build cyber resilience.

Get Free Consultation