Payment Aggregator and Payment Gateway Compliances- Brief Overview Today online payment modes are increasingly used across the country. Digital transactions have witnessed special preference due to the convenience it offers. Due to this, there has been a steady rise in facilitation by banks and the prepaid payment instrument (PPI) issuers for the use of electronic modes for payments to merchants. This process generally involves the role of intermediaries such as payment aggregators and payment gateway service providers. What do you mean by Payment Gateway and Payment Aggregator? The terms Payment Aggregator and Payment Gateways are used interchangeably by some however, these two differ on the basis of their functions. Payment Aggregator does the process of merchant on-boarding and receives/collects funds from customers on behalf of the merchant in an escrow account. On the other hand, payment gateways refer to the entities that, through technology infrastructure, route and/or facilitate the processing of online payment transactions. Unlike payment aggregators, there isn’t any actual handling of funds by the payment gateway. The payment aggregator serves as a front-end service, whereas the payment gateway serves as the back-end technology support. Both these services are not mutually exclusive, as there are certain payment aggregators who offer both. There are various payment aggregator and payment gateway compliances that must be followed by entities. These have been elaborately explained below. Various Compliances for Payment Aggregators The payment aggregators need to ensure strict compliance with the following as per the RBI guidelines: Background check of merchants Payment Aggregators need to undertake KYC / AML / CFT compliance issued by Reserve Bank of India, in accordance with the “Master Direction – Know Your Customer (KYC) Directions” and compliance with provisions of PMLA and Rules. As per the RBI Guidelines, payment aggregators need to conduct background and antecedent check of the merchants in order to ensure that merchants don’t have any illegal intention of duping customers, or to sell fake/counterfeit/prohibited products, etc. The Guideline also provides an obligation on payment aggregators’ to conduct checks on its merchants to verify whether appropriate terms and conditions have been uploaded on the merchant’s website. The guidelines further provide that the payment aggregators must check Payment Card Industry-Data Security Standard (PCI-DSS) as well as Payment Application-Data Security Standard (PA-DSS) compliance of the on-boarded merchant’s infrastructure. Grievance Redressal and Dispute Management RBI guidelines mandates payment aggregators to put in place a formal and openly disclosed customer grievance redressal & dispute management mechanism. A Payment Aggregator should appoint a nodal officer who will be required to handle customer complaints or grievances and the escalation matrix. Moreover, the dispute resolution mechanism would be binding on all the participants of the transactions. Security and Risk Management Framework The RBI guidelines mandate payment aggregators to put in place the following: Adequate information and data security infrastructure to prevent and detect fraud; Board approved security information policy; Implementation of the information security policy for mitigation of risk; A mechanism to monitor, handle and follow up cyber security incidents and breaches and reporting such incidents to DPSS, RBI Central Office Mumbai and shall also be reported to CERT-In; Compliance with data storage requirements as applicable to Payment System Operators; Submission of system audit report including cyber security audit done by the CERT-In empanelled auditors. Such audits must be conducted within 2 months of the close of their financial year to the respective regional office, DPSS, RBI. Reporting Requirements The RBI guidelines mandate payment aggregators to submit various reports on annual, quarterly and monthly basis. Annual Quarterly Monthly Non-Periodic Audited Annual Report on Net Worth certified by a CA by September 30 To be filed by 15th of the month after the quarter-end: 1. Auditors’ Certificate on Escrow Balance 2. Internally Audited Bankers’ Certificate on Escrow Account Debits and Credits 3. Auditors’ Certificate on Nodal Accounts, for Marketplaces Customer Grievances Report 4. Cyber Security Audit Report To be filed by 7th of the next month: 1. Statistics of Transactions Handled 2. Reports on Frauds Cyber Security Incident Reports, with root cause analysis and preventive action undertaken One-Time Technical Audit; and whenever a major change is made to process flow IS Audit Report and Cyber Security Audited Report with observations, corrective/preventive action planned and closure data, audited externally by May 31 Change in Board of Director, as and when happens Unaudited and Self-Declared Net Worth Certificate as of September 30, by December 31 IT Related Compliances The requirements for PA entities in respect of IT systems and security are as follows: Information security governance Carry out comprehensive security risk assessment of their people, business process environment etc. Report on risk assessment, security compliance, security audit reports to be presented to the board; Internal security audit or annual security audit by an independent security auditor. Data security standards Implementation of best data security practices such as PCI-DSS, PA-DSS etc. Security Incident Reporting Reporting of security incidents/card holder data breach to the RBI. Submission of monthly cyber security incident reports with root cause analysis. Merchant Onboarding Undertake security assessment during the Merchant Onboarding. Cyber Security Audits and Reports Carry out and submit the following to the IT committee- quarterly internal audit and annual external audit reports, bi-annual Vulnerability Assessment / Penetration Test reports; PCI-DSS and Attestation of Compliance and ROC Compliance Report with Observations. IT Governance Framework Framing of IT policy with the framework containing enterprise information model, cyber crisis management plan, IT steering committee etc. Various Compliances for Payment Gateway The following compliances are applicable to Payment Gateways: PCI-DSS Compliance PCI-DSS Compliance includes the following: Using and maintaining firewalls; Password protection; Cardholder data protection; Encryption in data transmission; Using and maintaining anti-virus; Updating software timely; Restricted data access; Unique IDs for data access; Restricted physical access of cardholder data; Creating and maintaining access logs; Scanning and testing for vulnerabilities; Drafting of policies for access. IT Related Compliances As per RBI guidelines, Indicative baseline technology related recommendations recommended for payment gateways such as Information Security Governance, Security Incident Reporting, Data Security Standards, Merchant Onboarding, Cyber Security Audit & Report, IT Governance framework, Risk Assessment, Cryptographic Requirements, Vendor Risk Management, etc. are similar to that of payment aggregators. How does Enterslice Help? Enterslice helps in the following manner: Liaising with the regulatory authority; Consultancy on Payment aggregator and payment gateway compliances; Assistance in complying with reporting requirements; Timely delivery of what we commit.