- +917700986505
- G3/12 Jal Padma CHS Goregaon West Mumbai 400104
- osa.internet@opensecurityalliance.org
Helping Fintechs, Payment Aggregators, Payment Gateways, Banks & NBFCs achieve RBI compliance, cyber resilience, governance and audit readiness.
India's digital payments ecosystem is governed by RBI's comprehensive regulatory framework. Understanding PA vs PG distinctions is critical for compliance.
A Payment Aggregator (PA) is an entity that facilitates e-commerce sites and merchants to accept various payment instruments from customers without the need for merchants to create a separate payment integration system. PAs collect payments, pool them, and transfer to merchants after deducting service charges. RBI mandates PAs to be registered entities with minimum net worth and comprehensive compliance obligations including KYC, AML, escrow account management, and CERT-IN security audits.
A Payment Gateway (PG) is a technology provider that routes payment transactions between merchants and acquiring banks/financial institutions. Unlike PAs, PGs do not handle funds — they only process transaction data. However, RBI's 2025 Master Direction brings PGs under a regulated framework requiring cyber security compliance, system audits, data localization, and adherence to the Baseline Technology-related Recommendations. PGs must demonstrate robust technical security and governance.
The fundamental distinction is fund handling: PAs hold and transfer customer funds (settlement function), while PGs only route transaction information (technology function). This means PAs face heavier regulatory scrutiny — net worth requirements, escrow accounts, merchant KYC — while PGs must focus on technology security controls, data protection, and system audit readiness. Both are now regulated by RBI under the 2025 Master Direction framework.
India's UPI-driven digital payment ecosystem processes billions of transactions daily. RBI regulates PAPG to protect consumer interests, prevent financial fraud, ensure systemic stability, enforce AML/KYC norms, safeguard escrow funds, and mandate cyber resilience. Non-compliance can result in license cancellation, financial penalties, and reputational damage. The 2020 Guidelines and 2025 Master Direction are the primary regulatory anchors for all payment entities operating in India.
A comprehensive timeline of RBI regulations, audit requirements, and compliance milestones governing India's payment ecosystem.
The landmark March 2020 circular established the foundational regulatory framework for Payment Aggregators and Payment Gateways in India. It defined PA/PG categories, mandated RBI authorization for PAs, set net worth requirements (₹15 crore by March 2021, ₹25 crore by March 2023), and introduced baseline security standards for both entity types. This was India's first comprehensive payment intermediary regulatory framework.
RBI mandated PCI-DSS (Payment Card Industry Data Security Standard) compliance for all PAs handling card payment data. PA-DSS applies to payment application vendors. These standards enforce encryption of cardholder data, network security controls, access management, vulnerability management, and regular penetration testing. Compliance requires annual assessments by Qualified Security Assessors (QSAs) and quarterly vulnerability scans.
RBI mandated rigorous Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements for PAs. Merchant onboarding requires comprehensive due diligence: business verification, promoter background checks, transaction monitoring, risk categorization, and periodic reviews. PAs must integrate with CERSAI (Central Registry) and Financial Intelligence Unit (FIU-IND) for AML reporting. Non-compliant merchant accounts must be suspended or terminated.
PAs must maintain escrow accounts with scheduled commercial banks for holding merchant settlement funds. RBI mandates same-day or T+1 settlement cycles, strict escrow reconciliation, and prohibition on using customer/merchant funds for PA operations. Unauthorized use of escrow funds constitutes a serious compliance breach. PAs must submit regular escrow statements and maintain 100% traceability of fund flows.
RBI requires all PAs and PGs to undergo periodic information security audits by CERT-IN empanelled auditors. The System Audit Report (SAR) covers: infrastructure security, application security, data protection, access controls, incident response, business continuity, and compliance with RBI cyber security guidelines. SAR findings must be reported to RBI within specified timelines with remediation plans for critical findings. Failure to complete SAR is a license risk.
The 2025 Master Direction (S-633) represents a significant regulatory evolution. It brings PGs explicitly under RBI's regulatory scope, updates net worth thresholds, strengthens data localization requirements, mandates enhanced governance reporting, introduces risk management framework requirements, updates SAR scope and coverage, and aligns India's payment ecosystem with global cybersecurity standards including NIST, ISO 27001, and SWIFT security frameworks. All existing licensees must demonstrate compliance by prescribed timelines.
A structured overview of all mandatory compliance domains that Payment Aggregators and Payment Gateways must satisfy under RBI regulations.
PAs must maintain minimum net worth of ₹25 crore (existing entities) or ₹15 crore (new applicants) at the time of application. Net worth must be maintained on an ongoing basis and reported annually through audited financial statements to RBI. Non-compliance triggers immediate regulatory action including license suspension.
Comprehensive merchant onboarding with risk-based KYC: business registration verification, promoter identity and background checks, GST/PAN validation, website/app content review, transaction monitoring, and periodic re-KYC reviews. High-risk merchants require enhanced due diligence. Merchant accounts must be blocked for KYC non-compliance or suspicious activity patterns.
Dedicated escrow accounts with scheduled commercial banks must segregate merchant settlement funds from PA's own funds. RBI-mandated T+1 settlement timelines, daily escrow reconciliation, detailed audit trails, prohibition on co-mingling funds, and regular reporting to RBI via DPSS (Department of Payment and Settlement Systems) are all mandatory compliance elements.
Implementation of RBI's comprehensive Cyber Security Framework (CSF) covering: governance structure, security operations center (SOC), incident response plan, data classification, network security (WAF, IDS/IPS, DLP), endpoint protection, patch management, encryption at rest and in transit, privileged access management, and security awareness programs for all staff.
Annual System Audit Report (SAR) by CERT-IN empanelled security auditors covering infrastructure and application security assessments, VAPT (Vulnerability Assessment and Penetration Testing), code review, data protection audit, access control review, incident response assessment, and BCP/DR testing. Critical findings require immediate remediation; SAR must be submitted to RBI within 45 days of audit completion.
Full PCI-DSS v4.0 compliance mandatory for all entities handling card payment data: cardholder data environment (CDE) scoping, 12 PCI-DSS requirement domains, quarterly ASV (Approved Scanning Vendor) scans, annual penetration testing, QSA (Qualified Security Assessor) assessments, and PA-DSS compliance for payment application software. Non-compliance can result in card brand fines and merchant loss.
Board-approved Risk Management Framework (RMF) covering operational risk, technology risk, credit risk, compliance risk, reputational risk, and systemic risk. Includes risk appetite statement, risk register, risk monitoring dashboards, board risk committee oversight, risk-based merchant categorization, transaction velocity limits, and real-time risk monitoring. RMF must align with ISO 31000 and RBI guidelines.
Robust governance structure including Board of Directors oversight, qualified compliance officer, CISO designation, audit committee, and risk management committee. Regular RBI reporting includes quarterly compliance reports, annual audited financials, SAR submission, incident reporting (within 6 hours for critical incidents), and ad-hoc reporting for significant events. All governance documents must be RBI-compliant.
Multi-layered fraud prevention covering: AI/ML-based real-time transaction monitoring, velocity checks, device fingerprinting, IP reputation analysis, 3D Secure authentication enforcement, chargeback management, negative merchant database management, Aadhaar-based verification integration, and mandatory reporting of fraudulent transactions to FIU-IND and cybercrime portals within regulatory timelines.
Comprehensive data security encompassing data localization (all payment data must reside in India), encryption standards (AES-256 at rest, TLS 1.3 in transit), data tokenization for card numbers, SIEM/SOAR implementation for 24/7 security monitoring, log management with 5-year retention, data access controls with least privilege, and regular data privacy impact assessments aligned with DPDP Act 2023.
End-to-end compliance consulting, audit coordination, and security advisory services designed specifically for India's payment ecosystem.
Comprehensive assessment of your current compliance posture against RBI PAPG Guidelines 2020 and Master Direction 2025. We identify gaps in policies, processes, technology controls, and documentation with a prioritized remediation roadmap.
Assessment & AdvisoryEnd-to-end readiness consulting for entities applying for RBI PA authorization or preparing for regulatory inspections. Covers documentation, governance setup, security controls, and policy framework development aligned to RBI expectations.
Readiness & ConsultingSystematic redesign of compliance processes to align with updated RBI Master Direction 2025 requirements. We re-architect your compliance architecture, update governance frameworks, and strengthen control environments for sustained regulatory alignment.
Process TransformationFull lifecycle management of your CERT-IN security audit — from auditor empanelment and scoping to evidence collection, audit facilitation, SAR review, remediation tracking, and RBI submission. We ensure a smooth, compliant audit process with minimal business disruption.
Audit ManagementComprehensive Vulnerability Assessment and Penetration Testing (VAPT) for your payment infrastructure including web applications, APIs, mobile apps, network infrastructure, and cloud environments. VAPT reports aligned to CERT-IN and RBI SAR requirements.
Security TestingExpert PCI-DSS v4.0 advisory and implementation support — CDE scoping, gap assessment, remediation guidance, QSA liaison, quarterly ASV scanning coordination, evidence preparation, and ongoing PCI DSS program management for sustained compliance.
PCI ComplianceEstablishing robust compliance governance structures — Board compliance committees, Chief Compliance Officer role definition, compliance monitoring frameworks, governance dashboards, board reporting templates, and regulatory engagement strategies aligned with RBI expectations.
Governance & RiskDeep-dive review of your payment platform security architecture — network segmentation, DMZ design, API security, encryption architecture, key management, zero-trust implementation, cloud security configuration, and alignment with RBI CSF and NIST framework requirements.
Architecture ReviewComprehensive review of escrow account management processes, settlement workflows, reconciliation controls, and fund flow traceability. We identify process gaps, recommend controls strengthening, and help design RBI-compliant escrow management SOPs and reporting templates.
Process & ControlDevelopment and implementation of a Board-approved Risk Management Framework (RMF) covering technology risk, operational risk, compliance risk, and reputational risk — including risk appetite statements, risk registers, KRI dashboards, and risk committee reporting structures.
Risk ManagementDevelopment of the complete PAPG compliance documentation suite — Information Security Policy, Merchant Onboarding Policy, KYC/AML Policy, Incident Response Plan, BCP/DR Plan, Data Retention Policy, Acceptable Use Policy, and all RBI-mandated compliance documents.
DocumentationRBI-aligned security awareness training for Board members, senior management, compliance teams, technical staff, and customer-facing personnel. Covers PAPG regulatory obligations, cyber threat landscape, phishing simulation, social engineering prevention, and data handling responsibilities specific to payment entities.
Training & AwarenessAccess the official RBI regulatory documents governing Payment Aggregators and Payment Gateways in India. Essential reading for all compliance officers and fintech professionals.
The foundational RBI circular (RBI/2019-20/264 DPSS.CO.PD.No.1810/02.14.008/2019-20) issued on 17 March 2020. Establishes the regulatory framework for PAs and PGs in India — defining categories, authorization requirements, capital obligations, merchant onboarding norms, and baseline security standards.
The comprehensive 2025 Master Direction (S-633) that updates and expands the PAPG regulatory framework. Brings PGs under RBI's direct regulatory scope, updates capital requirements, strengthens data localization and governance requirements, mandates enhanced security controls, and aligns with global payment security standards. All licensed entities must comply with updated provisions.
The official document defining the scope, coverage, methodology, and reporting requirements for System Audit Reports (SAR) for payment system entities. Covers CERT-IN empanelled auditor requirements, audit domains, evidence expectations, critical finding definitions, escalation timelines, and RBI reporting obligations. Essential reference for all PA/PG entities undergoing security audits.
Our PAPG compliance expertise serves a wide range of organizations across India's digital financial ecosystem.
Startups and scale-ups in digital lending, payments, and financial services
Scheduled commercial banks and co-operative banks with payment operations
Non-Banking Financial Companies with PA or payment processing operations
Marketplace and B2C e-commerce platforms with payment integration needs
Prepaid payment instrument (PPI) and digital wallet service operators
Licensed and applicant PAs requiring end-to-end compliance support
B2B SaaS companies embedded in payment workflows and fintech ecosystems
Insurance, wealth management, and diversified financial services companies
Large-format retail, QR-code merchants, and omnichannel digital commerce
With over 25 years of cybersecurity and compliance expertise, we are India's trusted PAPG compliance partner for fintechs, banks, and payment entities.
Deep domain expertise in financial sector cybersecurity, regulatory compliance, and audit management across banking, fintech, and payment entities.
Proprietary compliance methodology mapped directly to RBI PAPG Guidelines 2020 and 2025 Master Direction — ensuring nothing falls through the cracks.
We work with CERT-IN empanelled auditors and co-ordinate your SAR process from scoping to submission — reducing audit complexity and timeline.
Specialists in enterprise risk management, governance frameworks, board-level reporting, and compliance program design for regulated financial entities.
In-depth understanding of fintech architecture, API security, cloud-native payment systems, tokenization, and open banking security challenges unique to India's payment landscape.
Our proven 6-phase compliance methodology ensures a structured, thorough path to RBI PAPG compliance and sustained audit readiness.
Comprehensive current-state assessment of your organization's compliance posture across all RBI PAPG domains — policies, technology, processes, governance, and documentation.
Systematic identification and risk-prioritization of compliance gaps against RBI 2020 Guidelines and 2025 Master Direction. Generates a structured gap report with criticality ratings and remediation recommendations.
Deep-dive technical security review including VAPT, architecture assessment, code review, and security control evaluation. Validates your cyber security framework against RBI CSF requirements and CERT-IN SAR expectations.
Development of a time-bound, resource-allocated compliance implementation plan. Covers policy development, control implementation, governance setup, vendor engagement, and documentation creation with clear milestones and accountability.
Full preparation for CERT-IN SAR, PCI-DSS QSA assessment, and RBI inspection readiness. Includes pre-audit mock assessments, evidence collection and organization, auditor briefing, and response strategy for findings.
Ongoing compliance monitoring, regulatory update management, quarterly compliance health checks, board reporting support, incident response guidance, and year-round advisory to maintain continuous RBI compliance posture.
Talk to Open Security Alliance experts for compliance readiness, security assessments and RBI audit support. We're India's trusted PAPG compliance and fintech cybersecurity partner.
