Payment Aggregator and Payment Gateway Compliances

Payment Aggregators and Payment Gateways play a significant role in effecting a payment transaction. However for its smooth functioning, the entities engaged in providing the services of payment aggregator and payment gateway must comply with the various compliances as set out by the regulatory authority. Connect..

100000 + Happy Customer

100000 +

Happy Customer

50000 + CA & Lawyers

50000 +

CA & Lawyers

50 + Offices

50 +


Rated at 4.9 By 30000 + Customers Globally

Google Reviews

9,500+ Happy Reviews4.8/5 | 9,500+ Happy Reviews


Rated at 4.8 Rated at 4.8/5 9,500+ Happy Reviews

Payment Aggregator and Payment Gateway Compliances- Brief Overview

Today online payment modes are increasingly used across the country. Digital transactions have witnessed special preference due to the convenience it offers. Due to this, there has been a steady rise in facilitation by banks and the prepaid payment instrument (PPI) issuers for the use of electronic modes for payments to merchants. This process generally involves the role of intermediaries such as payment aggregators and payment gateway service providers.

What do you mean by Payment Gateway and Payment Aggregator?

The terms Payment Aggregator and Payment Gateways are used interchangeably by some however, these two differ on the basis of their functions. Payment Aggregator does the process of merchant on-boarding and receives/collects funds from customers on behalf of the merchant in an escrow account. On the other hand, payment gateways refer to the entities that, through technology infrastructure, route and/or facilitate the processing of online payment transactions. Unlike payment aggregators, there isn’t any actual handling of funds by the payment gateway. The payment aggregator serves as a front-end service, whereas the payment gateway serves as the back-end technology support. Both these services are not mutually exclusive, as there are certain payment aggregators who offer both.

There are various payment aggregator and payment gateway compliances that must be followed by entities. These have been elaborately explained below.

Various Compliances for Payment Aggregators

The payment aggregators need to ensure strict compliance with the following as per the RBI guidelines:

Background check of merchants

Payment Aggregators need to undertake KYC / AML / CFT compliance issued by Reserve Bank of India, in accordance with the “Master Direction – Know Your Customer (KYC) Directions” and compliance with provisions of PMLA and Rules.

As per the RBI Guidelines, payment aggregators need to conduct background and antecedent check of the merchants in order to ensure that merchants don’t have any illegal intention of duping customers, or to sell fake/counterfeit/prohibited products, etc. The Guideline also provides an obligation on payment aggregators’ to conduct checks on its merchants to verify whether appropriate terms and conditions have been uploaded on the merchant’s website.

The guidelines further provide that the payment aggregators must check Payment Card Industry-Data Security Standard (PCI-DSS) as well as Payment Application-Data Security Standard (PA-DSS) compliance of the on-boarded merchant’s infrastructure.

Grievance Redressal and Dispute Management

RBI guidelines mandates payment aggregators to put in place a formal and openly disclosed customer grievance redressal & dispute management mechanism.

A Payment Aggregator should appoint a nodal officer who will be required to handle customer complaints or grievances and the escalation matrix. Moreover, the dispute resolution mechanism would be binding on all the participants of the transactions.

Security and Risk Management Framework

The RBI guidelines mandate payment aggregators to put in place the following:

  • Adequate information and data security infrastructure to prevent and detect fraud;
  • Board approved security information policy;
  • Implementation of the information security policy for mitigation of risk;
  • A mechanism to monitor, handle and follow up cyber security incidents and breaches and reporting such incidents to DPSS, RBI Central Office Mumbai and shall also be reported to CERT-In;
  • Compliance with data storage requirements as applicable to Payment System Operators;
  • Submission of system audit report including cyber security audit done by the CERT-In empanelled auditors. Such audits must be conducted within 2 months of the close of their financial year to the respective regional office, DPSS, RBI.

Reporting Requirements

The RBI guidelines mandate payment aggregators to submit various reports on annual, quarterly and monthly basis.








Audited Annual Report on Net Worth certified by a CA by September 30


To be filed by 15th of the month after the quarter-end:


1. Auditors’ Certificate on Escrow Balance


2. Internally Audited Bankers’ Certificate on Escrow Account Debits and Credits


3. Auditors’ Certificate on Nodal Accounts, for Marketplaces

Customer Grievances Report


4. Cyber Security Audit Report

To be filed by 7th of the next month:


1. Statistics of Transactions Handled



2. Reports on Frauds Cyber Security Incident Reports, with root cause analysis and preventive action undertaken


One-Time Technical Audit; and whenever a major change is made to process flow



IS Audit Report and Cyber Security Audited Report with observations, corrective/preventive action planned and closure data, audited externally by May 31





Change in Board of Director, as and when happens

Unaudited and Self-Declared Net Worth Certificate as of September 30, by December 31


IT Related Compliances

The requirements for PA entities in respect of IT systems and security are as follows:

  • Information security governance
  • Carry out comprehensive security risk assessment of their people, business process environment etc.
  • Report on risk assessment, security compliance, security audit reports to be presented to the board;
  • Internal security audit or annual security audit by an independent security auditor.
  • Data security standards

Implementation of best data security practices such as PCI-DSS, PA-DSS etc.

  • Security Incident Reporting

Reporting of security incidents/card holder data breach to the RBI. Submission of monthly cyber security incident reports with root cause analysis.

  • Merchant Onboarding

Undertake security assessment during the Merchant Onboarding.

  • Cyber Security Audits and Reports

Carry out and submit the following to the IT committee- quarterly internal audit and annual external audit reports, bi-annual Vulnerability Assessment / Penetration Test reports; PCI-DSS and Attestation of Compliance and ROC Compliance Report with Observations.

  • IT Governance Framework

Framing of IT policy with the framework containing enterprise information model, cyber crisis management plan, IT steering committee etc.

Various Compliances for Payment Gateway

The following compliances are applicable to Payment Gateways:

PCI-DSS Compliance

PCI-DSS Compliance includes the following:

  • Using and maintaining firewalls;
  • Password protection;
  • Cardholder data protection;
  • Encryption in data transmission;
  • Using and maintaining anti-virus;
  • Updating software timely;
  • Restricted data access;
  • Unique IDs for data access;
  • Restricted physical access of cardholder data;
  • Creating and maintaining access logs;
  • Scanning and testing for vulnerabilities;
  • Drafting of policies for access.

 IT Related Compliances

As per RBI guidelines, Indicative baseline technology related recommendations recommended for payment gateways such as Information Security Governance, Security Incident Reporting, Data Security Standards, Merchant Onboarding, Cyber Security Audit & Report, IT Governance framework, Risk Assessment, Cryptographic Requirements, Vendor Risk Management, etc. are similar to that of payment aggregators.

How does Enterslice Help?

Enterslice helps in the following manner:

  • Liaising with the regulatory authority;
  • Consultancy on Payment aggregator and payment gateway compliances;
  • Assistance in complying with reporting requirements;
  • Timely delivery of what we commit.

Frequently Asked Questions

Payment aggregators facilitate e-commerce sites and merchants to accept different payment instruments from the customers to complete their payment obligations. Merchants don’t need to create their own separate payment integration system. On the other hand Payment Gateways are entities providing technological infrastructure to facilitate processing of online transaction.

Payment Aggregators can be cost-effective for Micro-transactions. Payment Gateways can access small businesses rapidly once they combine with Payment Aggregators. The Payment Aggregator model offers a platform for online transaction processing, with low or no start-up fees.

RBI guidelines mandates payment aggregators to put in place a formal and openly disclosed customer grievance redressal & dispute management mechanism.

The Payment Card Industry Data Security Standard or the PCI-DSS Compliance means meeting a set of requirements intended to ensure that companies that are processing, storing or transmitting credit card information maintain a secure environment.

Related Services

Our Awards Our Awards

Top 100 Companies in Asia - Red Herring
Top 100 Companies in Asia - Red Herring

Red Herring Top 100 Asia enlists outstanding entrepreneurs and promising companies. It selects the award winners from approximately 2000 privately financed companies each year in the Asia. Since 1996, Red Herring has kept tabs on these up-and-comers. Red Herring editors were among the first to recognize that companies such as Google, Facebook, Kakao, Alibaba, Twitter, Rakuten,, Xiaomi and YouTube would change the way we live and work.

Top 25 in India - Consultants Review

Researchers have found out that organization using new technologies in their accounting and tax have better productivity as compared to those using the traditional methods. Complying with the recent technological trends in the accounting industry, Enterslice was formed to focus on the emerging start up companies and bring innovation in their traditional Chartered Accountants & Legal profession services, disrupt traditional Chartered Accountants practice mechanism & Lawyers.

Top 25 in India - Consultants Review

We partner with more than 100+ companies

-- Testimonials

Don't take our word for it

In the news

Get Started Live Chat