Payment Aggregator and Payment Gateway Compliances

Payment Aggregator and Payment Gateway Compliances

Payment Aggregators and Payment Gateways play a significant role in effecting a payment transaction. However for its smooth functioning, the entities engaged in providing the services of payment aggregator and payment gateway must comply with the various compliances as set out by the regulatory authority. Connect with Enterslice today to get the below mentioned assistance.

Package inclusions:
  • Payment aggregator and payment gateway compliances consultancy;
  • Complete assistance in meeting payment aggregator and payment gateway compliances;
  • Regular follow ups with the regulatory authority.
Payment Aggregator and Payment Gateway Compliances

Payment Aggregator and Payment Gateway Compliances- Brief Overview

Today online payment modes are increasingly used across the country. Digital transactions have witnessed special preference due to the convenience it offers. Due to this, there has been a steady rise in facilitation by banks and the prepaid payment instrument (PPI) issuers for the use of electronic modes for payments to merchants. This process generally involves the role of intermediaries such as payment aggregators and payment gateway service providers.

What do you mean by Payment Gateway and Payment Aggregator?

The terms Payment Aggregator and Payment Gateways are used interchangeably by some however, these two differ on the basis of their functions. Payment Aggregator does the process of merchant on-boarding and receives/collects funds from customers on behalf of the merchant in an escrow account. On the other hand, payment gateways refer to the entities that, through technology infrastructure, route and/or facilitate the processing of online payment transactions. Unlike payment aggregators, there isn’t any actual handling of funds by the payment gateway. The payment aggregator serves as a front-end service, whereas the payment gateway serves as the back-end technology support. Both these services are not mutually exclusive, as there are certain payment aggregators who offer both.

There are various payment aggregator and payment gateway compliances that must be followed by entities. These have been elaborately explained below.

Various Compliances for Payment Aggregators

The payment aggregators need to ensure strict compliance with the following as per the RBI guidelines:

Background check of merchants

Payment Aggregators need to undertake KYC / AML / CFT compliance issued by Reserve Bank of India, in accordance with the “Master Direction – Know Your Customer (KYC) Directions” and compliance with provisions of PMLA and Rules.

As per the RBI Guidelines, payment aggregators need to conduct background and antecedent check of the merchants in order to ensure that merchants don’t have any illegal intention of duping customers, or to sell fake/counterfeit/prohibited products, etc. The Guideline also provides an obligation on payment aggregators’ to conduct checks on its merchants to verify whether appropriate terms and conditions have been uploaded on the merchant’s website.

The guidelines further provide that the payment aggregators must check Payment Card Industry-Data Security Standard (PCI-DSS) as well as Payment Application-Data Security Standard (PA-DSS) compliance of the on-boarded merchant’s infrastructure.

Grievance Redressal and Dispute Management

RBI guidelines mandates payment aggregators to put in place a formal and openly disclosed customer grievance redressal & dispute management mechanism.

A Payment Aggregator should appoint a nodal officer who will be required to handle customer complaints or grievances and the escalation matrix. Moreover, the dispute resolution mechanism would be binding on all the participants of the transactions.

Security and Risk Management Framework

The RBI guidelines mandate payment aggregators to put in place the following:

  • Adequate information and data security infrastructure to prevent and detect fraud;
  • Board approved security information policy;
  • Implementation of the information security policy for mitigation of risk;
  • A mechanism to monitor, handle and follow up cyber security incidents and breaches and reporting such incidents to DPSS, RBI Central Office Mumbai and shall also be reported to CERT-In;
  • Compliance with data storage requirements as applicable to Payment System Operators;
  • Submission of system audit report including cyber security audit done by the CERT-In empanelled auditors. Such audits must be conducted within 2 months of the close of their financial year to the respective regional office, DPSS, RBI.

Reporting Requirements

The RBI guidelines mandate payment aggregators to submit various reports on annual, quarterly and monthly basis.

Annual

 

Quarterly

Monthly

Non-Periodic

 

 

Audited Annual Report on Net Worth certified by a CA by September 30

 

To be filed by 15th of the month after the quarter-end:

 

1. Auditors’ Certificate on Escrow Balance

 

2. Internally Audited Bankers’ Certificate on Escrow Account Debits and Credits

 

3. Auditors’ Certificate on Nodal Accounts, for Marketplaces

Customer Grievances Report

 

4. Cyber Security Audit Report

To be filed by 7th of the next month:

 

1. Statistics of Transactions Handled

 

 

2. Reports on Frauds Cyber Security Incident Reports, with root cause analysis and preventive action undertaken

 

One-Time Technical Audit; and whenever a major change is made to process flow

 

 

IS Audit Report and Cyber Security Audited Report with observations, corrective/preventive action planned and closure data, audited externally by May 31

 

 

 

 

Change in Board of Director, as and when happens

Unaudited and Self-Declared Net Worth Certificate as of September 30, by December 31

 

IT Related Compliances

The requirements for PA entities in respect of IT systems and security are as follows:

  • Information security governance
  1. Carry out comprehensive security risk assessment of their people, business process environment etc.
  2. Report on risk assessment, security compliance, security audit reports to be presented to the board;
  3. Internal security audit or annual security audit by an independent security auditor.
  • Data security standards

Implementation of best data security practices such as PCI-DSS, PA-DSS etc.

  • Security Incident Reporting

Reporting of security incidents/card holder data breach to the RBI. Submission of monthly cyber security incident reports with root cause analysis.

  • Merchant Onboarding

Undertake security assessment during the Merchant Onboarding.

  • Cyber Security Audits and Reports

Carry out and submit the following to the IT committee- quarterly internal audit and annual external audit reports, bi-annual Vulnerability Assessment / Penetration Test reports; PCI-DSS and Attestation of Compliance and ROC Compliance Report with Observations.

  • IT Governance Framework

Framing of IT policy with the framework containing enterprise information model, cyber crisis management plan, IT steering committee etc.

Various Compliances for Payment Gateway

The following compliances are applicable to Payment Gateways:

PCI-DSS Compliance

PCI-DSS Compliance includes the following:

  • Using and maintaining firewalls;
  • Password protection;
  • Cardholder data protection;
  • Encryption in data transmission;
  • Using and maintaining anti-virus;
  • Updating software timely;
  • Restricted data access;
  • Unique IDs for data access;
  • Restricted physical access of cardholder data;
  • Creating and maintaining access logs;
  • Scanning and testing for vulnerabilities;
  • Drafting of policies for access.

 IT Related Compliances

As per RBI guidelines, Indicative baseline technology related recommendations recommended for payment gateways such as Information Security Governance, Security Incident Reporting, Data Security Standards, Merchant Onboarding, Cyber Security Audit & Report, IT Governance framework, Risk Assessment, Cryptographic Requirements, Vendor Risk Management, etc. are similar to that of payment aggregators.

How does Enterslice Help?

Enterslice helps in the following manner:

  • Liaising with the regulatory authority;
  • Consultancy on Payment aggregator and payment gateway compliances;
  • Assistance in complying with reporting requirements;
  • Timely delivery of what we commit.

Frequently Asked Questions

Payment aggregators facilitate e-commerce sites and merchants to accept different payment instruments from the customers to complete their payment obligations. Merchants don’t need to create their own separate payment integration system. On the other hand Payment Gateways are entities providing technological infrastructure to facilitate processing of online transaction.

Payment Aggregators can be cost-effective for Micro-transactions. Payment Gateways can access small businesses rapidly once they combine with Payment Aggregators. The Payment Aggregator model offers a platform for online transaction processing, with low or no start-up fees.

RBI guidelines mandates payment aggregators to put in place a formal and openly disclosed customer grievance redressal & dispute management mechanism.

The Payment Card Industry Data Security Standard or the PCI-DSS Compliance means meeting a set of requirements intended to ensure that companies that are processing, storing or transmitting credit card information maintain a secure environment.

Related Articles

Related Articles
02 Apr, 2022
SEBI

Audit Committee under Companies Act, 2013 & SEBI (LODR) Regulations, 2015

The composition and role of Audit Committee has been provided under the Companies Act 2013 and SEBI (LODR) Regulations, 2015. Audit committee in a company...

Read More
31 Mar, 2022
Compliances

Everything you need to know about AUAs and KUAs

According to the provisions of Aadhaar Act, 2016, a requesting party could be a person or an agency that submits Aadhaar number and demographic information...

Read More
25 Mar, 2022
SEBI

SEBI mandates an Audit committee for AMCs of Mutual Funds

SEBI has released a circular on Audit Committee of Asset Management Companies on 9th February, 2022 which mandates the Asset Management Companies (AMCs) of...

Read More
09 Mar, 2022
Compliances

An overview of Compliance Audit

A compliance Audit, simply put together, is a tool of compliance which is utilized by both the internal and external auditors for the assessment and verifi...

Read More

Why Enterslice?

Top 100 Most Innovative Companies in Asia

Top 100 Most Innovative Companies in Asia - Red Herring

Forbes 30 Under 30 in American business

Forbes 30 Under 30 in American business and industry figures Lists.

Services delivered by 300+ Qualified CA and CS

Services delivered by 300+ Qualified CA and CS

Top 100 Most Innovative Companies in Asia - Red Herring

Top 100 Most Innovative Companies in Asia - Red Herring

Trusted Partner