Payment Gateway License
Payment gateways eased our lives by bringing flexibility in online shopping or making bill payments, or mobile or DTH recharge, and so on.
Once you complete the selection of products and services to be bought online, they need to be added in your cart, and then you can further proceed for payment. At the same time, you will be directed to the payment gateway of the website and this payment gateway to function requires a license.
It can be said that payment gateway works as a bridge between the banks and the websites. This also assists in making the process of communication of transactions possible. The gateway also accepts the information from the payer banks. It passes on the same to the receiving bank along with recording the status of the transaction made, i.e. either approved or declined.
The most crucial aspect of the payment gateway can be said to be a security of funds that is being transacted. Security of funds is the biggest issue because there is critical information such as debit or credit card numbers and also internet banking Ids and passwords that need to be safeguarded from any type of fraud. Due to this reason, card associations have formed different rules and set of laws governing security standards. This must be adhered to by any person who gets admittance to card information such as payment gateways. These standards and rules are known as the Payment Card Industry Data Security Standard (PCI-DSS or PCI).
What is the Payment Gateway?
An online payment gateway works as a tunnel that connects the bank account to the portal where you need to transfer the amount. A payment gateway is a software that permits a person to conduct an online transaction via different payment modes. Some of the payment modes are net banking, credit card, debit card, UPI, or various other online wallets available these days.
A payment Gateway works as a third party that securely transfers your money from the bank account to the payment portal of the merchant.
For example, if you are buying some products from an online shopping portal like Amazon when you make payment. A payment gateway assists in transferring the money to Amazon.
How Payment Gateway Functions?
The main target of the payment gateway is to secure sensitive information that is provided by the user throughout the process. It also ensures security by encrypting the data like the card and the bank details that have been given by the user.
The necessary steps about how a payment gateway works have been explained below:
- Step 1: A customer places his order in the portal and then presses the checkout button, or any other equivalent button, on the website.
- Step 2: In the next level, the website or the e-commerce platform directs the customer to a payment gateway where he or she can enter all the relevant information about the bank or the card they use to pay. The payment gateway then directly takes the user to the page of the issuing bank or a 3D secure page asking to authorize the transaction.
- Step 3: After the payment gateway gets approval for the transaction, the bank then checks if the customer has got sufficient balance in its bank account to make the transaction successful.
- Step 4: The payment gateway also sends a message to the merchant at the same time. If the bank rejects the payment, then the merchant immediately conveys it to the customer informing them about the issue related to the card or the bank account. In case the bank accepts the payment, then the merchant seeks the transaction from the bank.
- Step 5: The bank then settles the money with the payment gateway, which then settles the money with the merchant. After completing this process, the customer gets a confirmation message of the order being placed.
Benefits of Using a Payment Gateway
A payment gateway can not only be used for transferring money, but it has certain other benefits as well. A payment Gateway permits the merchant to provide the user with a better experience, by proving some other benefits like:
The PCI-DSS compliance provides security to the user to store their personal data in the portal or gateway for the purpose of recurring payments. For example, you are a regular customer on Flipkart, then you can save your bank account details or card details on their site or app, and the gateway will prevent it from any cybersecurity threat.
Some payment gateways permit you in making digital transactions via mobile wallet apps. This is the newest trend, as this enables the user to make all his transactions by just sitting in one place. You can transfer the money from the account to the mobile wallet app and then further use it for making payments on other apps or websites.
Fraud Screening Tools
Some payment gateways offer you the fraud screening tools for reducing the risk of losing information. These tools consist of Card Code Value (CVV), Card Verification Value (CVV) or Address Verification Service (AVS). The primary purpose of these tools is to check that there is no fraudulent transaction.
The most noteworthy advantage of a payment gateway is the fact that it permits transactions from many users at the same time. This makes it possible for a purchaser to purchase or sell goods and services whenever you want.
Process to Obtain a Payment Gateway License in India
The following steps must be followed for obtaining Payment Gateway License in India:
Step 1: As per Section 5(1) of the PSS Act, file an application in Form A. This application must be made to the Chief General Manager of Department of Payment and Settlement Systems at Central Office of the RBI at Mumbai, or any other office prescribed by RBI from time to time.
Step 2: The RBI has the discretionary power to authorize the payment gateway license according to Section 6 of the Act. The RBI has got the ability to hold the required inquiries as it may consider necessary. The inquiries will help in clarifying the authenticity of the details that have been submitted by the applicant and also for checking the credentials of the involved participants.
Step 3: The RBI will check the following conditions before issuing the authorization of payment gateway:
- The requirement for making a proposal payment system or the services is proposed to be undertaken by it.
- The technical standards set for the payment system or the structure of the proposed payment system.
- The terms and conditions that include any security procedure, for the operation of the proposed payment system.
- The proposed way in which the transfer is done in the given payment system;
- The prescribed manner for getting instructions that affect the payment obligations under the payment system.
- The financial status and the integrity of the applicant.
- The prescribed terms and conditions governing the relationship of the customers with the payment providers.
- The credit and monetary policies.
- The time frame for authorization.
Step 4: If the RBI gets satisfied with all the requirements laid down in Section 7(1), it might issue the Authorization Certificate in Form ‘B’ for commencing and carrying on a payment system to the applicant. The authorization will take effect from the date as mentioned by the RBI and according to the conditions specified by RBI.
Step 5: According to Section 4 of the PSS Act, the RBI must process the application of authorization as soon as possible with a maximum time limit of six months from the date on which the application for authorization was made.
Capital Requirements for Obtaining Payment Gateway License in India
The following are the requirements for obtaining Payment Gateway License in India;
- Only banks and Non-Bank Finance Companies that comply with the Capital Adequacy requirement provided by the Reserve Bank of India from time-to-time will be permitted to issue prepaid payment instruments.
- Foreign Exchange Prepaid Payment Instruments: Entities that are authorized under FEMA to issue foreign exchange prepaid payment instruments are exempted from the purview of these guidelines. The use of such payment instruments shall be limited to permissible current account transactions and subject to the prescribed limits under the Foreign Exchange Management (Current Account Transactions) Rules, 2000, as amended from time to time.
Documents Required for Obtaining a Payment Gateway License
The documents required to obtain a Payment Gateway License are as mentioned below:
- Certificate of incorporation of Company received from Registrar of Companies (ROC).
- PAN Card or Address proof of the Directors.
- DSC and DIN of the directors.
- Address proof of the place of business.
- Details of the Bank Account of the Company.
- Business plan of the Company for five years.
- Code testing report by a software agency.
Additional Services Offered by Payment Gateways
Payment Gateways apart from facilitating quick payments also offers the following services:
- Delivery Address verification.
- Advanced Visual System checks.
- Computer Finger Printing Technology.
- Velocity Pattern Analysis.
- Identity morphing detection.
- Calculation of tax for authorization of request transmitted to the processor.
Important Components of Payment Gateway License
The essential components of a Payment Gateway License are enumerated below:
Merchant Agreement is the contract between the payment service provider and the businesses. The parties that are involved in the online transactions are guided by the responsibilities and the rules that have been mentioned in the agreement with regard to payment, authorization, settlement, and processing.
Secure Electronic Transaction (SET)
Secure Electronic Transactions are offered by the primary providers of the electronic transactions such as visa and Master Card. The customers are protected via SET as it allows the merchants to verify the payment information without actually seeing it. The issuer directly receives the information that is provided on the card for the purpose of verification.
Laws that Govern the Payment Gateway in India
The Payment and Settlement System Act (PSS Act) was introduced for the purpose of regulation and supervision of payment systems in India by the RBI. The authority for the use and all the matters that fall under the purview of this Act.
Two regulations must be made under this Act by the RBI, namely:
- The Board for Regulation and Supervision of Payment and Settlements System Regulations, 2008 that generally deals with the constitution and composition of the Board for Regulation and Supervision of Payment and Settlement System (BPSS) and a committee of RBI’s Central Board of Directors.
- The Payment and Settlement Systems Regulations, 2008 that deals with matters such as application for authorization of commencing payment system. Instructions related to payments, granting the authorization, furnishing relevant documents, etc.
Who has the Authority to Grant Payment Gateway License in India?
- According to Section 4 of the PSS Act, no person other than the RBI can either operate or commence a payment system until it has received authorization from the RBI.
- The application for authorization to the RBI must be made under Section 5 of the PSS Act.
How to Register a Payment Gateway Business?
To get a payment gateway registration in India, it is essential first to register the payment gateway business. Many types of business can be registered in India, but we at Enterslice will suggest you to form a 'Private Limited Company' to get a payment gateway license. Hence you must fulfil the following requirements for establishing a Private Limited Company.
- Minimum 2 Directors and 2 shareholders.
- Shareholders and Directors can be the same person.
- Director’s PAN Card.
- Address Proof of the Business.
The below-mentioned steps must be followed to form a Private Limited Company:
- Apply for DSC and DIN.
- Approval of name and other electronic forms.
- ROC will issue an incorporation certificate.
- Apply for PAN Card of Company that is required for opening a current bank account.
Types of Payment Gateway Providers in After Receiving Payment Gateway License
There are two categories of payment gateway providers that allow the business to take payment from national and international customers in Indian National Rupees via Credit or Debit Cards and Net-banking methods. The types of Payment Gateways are:
Second Party Providers
This is an expensive option for small businesses and start-ups, and such providers will be expensive in the initial phase. The transaction discount rate is less for the specified providers but set up cost is high.
The examples for this type of provider are CC Avenue, EBS. PayU that charge set up and annual fee. The TDR for this type of provider is around 2%-4%.
How Payment Gateways keeps Information Secure?
A payment gateway assures the security of the information. Below mentioned is the list of things that a Payment Gateway does to keep your Data Safe:
- Firstly, the entire transaction is done through an HTTPS web address. HTTP is distinct from HTTPS as the S in HTTPS stands for secure. The sale is made through this same tunnel.
- The system uses a signed request as a result of the hash function. The signed request from the merchant validates the request for the transaction. The signed request is usually a very private thing, known only by the merchant and the payment gateway.
- For securing the payment page is a result of the process, the IP of the requesting server must be verified for detecting any malicious activity.
- A Virtual Payer Authentication (VPA) can be said to be something that acquirers, issuers, and payment gateways are backing to secure the process. The VPA that is implemented as per the 3-D secure protocol adds an additional layer of security and also helps the online buyers and sellers for authentication purposes.
IT Requirements that are Recommended for Obtaining Payment Gateway License
The requirements for the businesses with regard to IT systems and security is explained below:
Information Security Governance
The businesses must carry out a detailed security risk assessment of their customers to identify risk exposures with remedial measures and residual risks.
Data Security Standards
Best practices related to data security standards such as PCI-DSS, PA-DSS, latest encryption standards etc. must be implemented.
Security Incident Reporting
The business shall report any cardholder breaches or security incidents to the RBI within the specified time.
The organizations shall undertake a complete security assessment during the merchant onboarding process to ensure that minimal baseline security controls are followed by the merchants.
Cyber Security Audit and Reports
The entities must carry out and submit to the IT Committee quarterly internal and annual external audit reports; bi-annual Vulnerability Assessment or Penetration Test (VAPT) reports; PCI-DSS including Attestation of Compliance (AOC) and Report of Compliance (ROC) compliance report with observations noted if any including corrective or preventive actions planned with action closure date; inventory of applications which store or process or transmit customer sensitive data; PA-DSS compliance status of payment applications which stores or processes cardholder data.
Competency of Staff
The resources must be trained for the IT function that needs to be understood and assessed appropriately.
Vendor Risk Management
The Service Level Agreements (SLAs) for support of technology including BCP-DR and the data management will categorically include clauses that permit regulatory access to these setups.
Maturity and Roadmap
The businesses must consider assessing their IT maturity level as per the international standards or design an action plan and then implement the plan for reaching the target maturity level.
The business must choose an encryption algorithm as a well established international standard. It has been subjected to rigorous checks by an international community of cryptographers.
The businesses must take preventive measures for ensuring storing data in the infrastructure that does not belong to any external jurisdiction.
Data Security in Outsourcing
There must be an agreement relating to outsourcing providing the‘ right to audit’ clause to authorize the entities or their appointed agencies and regulators for conducting security audits. Alternatively, the third parties must submit annual independent security audit reports to the businesses.
Payment Application Security
Payment applications must be developed as per PA-DSS guidelines, and as per the requirement, it must be complied. The business will review the PCI-DSS compliance status as a part of the merchant onboarding process.