We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / RBI PA-PG Guidelines
Reserve Bank of India · India

RBI Payment Aggregators & Payment Gateways (PA-PG)

Authorisation and security requirements for payment aggregators and payment gateways.

Introduction: The RBI PA-PG Guidelines and Why They Matter

The Reserve Bank of India (RBI) Guidelines on Regulation of Payment Aggregators and Payment Gateways, first issued on 17 March 2020 (circular DPSS.CO.PD.No.1810/02.14.008/2019-20) and progressively amended through subsequent circulars, fundamentally reshaped how online payment intermediaries are supervised in India. For the first time, entities that had operated in a lightly regulated grey zone, holding merchant funds, routing card and account credentials, and settling proceeds, were brought squarely under the direct authorisation and prudential oversight of the RBI under the Payment and Settlement Systems Act, 2007 (PSS Act).

The guidelines draw a clear regulatory line between two roles that historically overlapped. Payment Aggregators (PAs) are entities that onboard merchants, receive payment instructions from customers on behalf of those merchants, pool the collected funds into an escrow account, and settle net proceeds to merchants after a defined period. Because PAs handle and control the flow of money, they require RBI authorisation and must maintain minimum net worth thresholds. Payment Gateways (PGs), by contrast, provide the technology to route and facilitate a transaction between the merchant, the acquirer and the payment networks, but do not handle settlement funds; they are treated as technology providers or outsourcing partners and are subject to the baseline security guidelines rather than the authorisation and net-worth regime.

This distinction is central to every compliance exercise. An entity that touches settlement money is a PA and carries the full regulatory burden, including escrow discipline, governance, merchant due diligence, data storage restrictions and periodic reporting to the RBI. An entity that only routes technical messages is a PG and must chiefly satisfy the baseline technology and security recommendations. The 2021 and later amendments extended the framework to Payment Aggregators for Cross-Border transactions (PA-CB, via the October 2023 circular) and, through the RBI's tokenisation and Card-on-File (CoF) mandates, tightened the rules around card data storage. This guide provides an auditor-grade, end-to-end interpretation of the PA-PG framework as it applies to entities operating in India, structured so that a compliance team, an internal audit function or an external assessor can plan, execute and evidence a full readiness assessment.

Regulatory Source and Copyright Note
The RBI PA-PG Guidelines and associated circulars are official regulatory instruments issued by the Reserve Bank of India and are freely available on rbi.org.in. This CyberSigma Knowledge Center guide is an original interpretive and advisory work. It paraphrases regulatory obligations for practitioner use and does not reproduce the verbatim text of any RBI circular. Always read this guide alongside the current, authoritative RBI circulars and any subsequent Master Directions, FAQs or clarifications, as the framework is periodically updated. Where a specific numeric threshold or date is decision-critical, verify it against the latest RBI notification.

What Are the RBI PA-PG Guidelines

The RBI PA-PG Guidelines are a principles-plus-prescriptions regulatory framework that governs the authorisation, capital adequacy, governance, conduct, data security and settlement discipline of online payment intermediaries. They are not a voluntary standard like ISO 27001; they are binding regulatory requirements enforced by the RBI, and non-compliance can result in refusal or revocation of authorisation, monetary penalties, directions to wind down operations, and reputational consequences for the entity's directors and promoters.

The framework operates across several intertwined dimensions. First, it establishes an authorisation regime: existing non-bank PAs had to apply for authorisation, and new PAs must obtain a Certificate of Authorisation before commencing operations. Bank PAs do not require separate authorisation as the activity is treated as part of normal banking business, but they must comply with the operative instructions. Second, it imposes prudential requirements, most notably a minimum net worth of INR 15 crore at the time of application, rising to INR 25 crore by the end of the third financial year and to be maintained thereafter. Third, it prescribes governance and fit-and-proper standards for promoters and directors. Fourth, it mandates escrow-based fund management with strict timelines for merchant settlement. Fifth, it sets out merchant onboarding, KYC and due-diligence obligations. Sixth, it imposes baseline technology and security requirements covering the entire card and payment data lifecycle, including the prohibition on PAs and merchants storing customer card credentials (CoF data) beyond the limited exceptions permitted, and the promotion of tokenisation.

Crucially, the security recommendations of the guidelines are risk-proportionate and reference established baselines. They expect PAs and PGs to align with recognised security standards such as PCI DSS, to conduct regular vulnerability assessment and penetration testing (VAPT), to obtain periodic system audits from CERT-In empanelled auditors, and to implement fraud prevention, incident response and business continuity controls. This is why a PA-PG readiness engagement frequently runs alongside a PCI DSS assessment and a CERT-In system audit; the three exercises share substantial control overlap.

Who Must Comply

Applicability turns on the role an entity plays in the payment flow and whether it handles settlement funds. The following table summarises the principal categories of entities and the extent of their obligations under the framework.

Entity typeRegulatory treatmentKey obligations
Non-bank Payment Aggregator (domestic)Requires RBI authorisation under the PSS ActFull framework: authorisation, net worth, governance, escrow, merchant KYC, data storage restrictions, security audit, reporting
Bank Payment AggregatorNo separate authorisation; activity treated as part of banking businessMust follow escrow-equivalent settlement discipline, merchant due diligence, and baseline security instructions
Payment Gateway (technology-only)Treated as technology provider / outsourcing partner; not authorised as PABaseline technology and security guidelines; no escrow or net-worth requirement, but bound via contract with the PA
Payment Aggregator - Cross Border (PA-CB)Requires specific RBI approval under the October 2023 PA-CB circularImport/Export/both categories, net worth, AD Category-I bank account, IEC, merchant and transaction limits
E-commerce marketplace acting as intermediaryMay be deemed a PA if it collects and settles funds for third-party sellersMust either obtain PA authorisation or route settlements through an authorised PA
Merchant accepting online paymentsNot a PA, but bound by PA-imposed obligationsProhibited from storing CoF/card data; must accept tokenisation; subject to PA onboarding checks
  • Any non-bank entity that onboards merchants and pools customer funds before settling them is a Payment Aggregator and must be authorised.
  • Pure technology routers that never touch settlement money are Payment Gateways and follow the baseline security guidelines only.
  • Cross-border collection and settlement (import/export payments) falls under the separate PA-CB approval track with its own thresholds.
  • Marketplaces that centralise collection for multiple independent sellers are frequently caught by the PA definition and cannot rely on a technology-provider exemption.
  • Banks providing aggregation do not need a fresh authorisation but are not exempt from the conduct and security expectations.

Structure of the RBI PA-PG Guidelines

For assessment purposes it is helpful to decompose the framework into logical domains. The RBI circulars do not present a formal numbered control catalogue in the way ISO 27001 Annex A or the PCI DSS requirements do; instead the obligations are distributed across the body of the guidelines and their annex on baseline technology-related recommendations. The table below organises those obligations into assessable domains and control families that an auditor can systematically test.

DomainControl familyIllustrative scope
D1. Authorisation & Legal StatusCertificate of Authorisation, incorporation, activity scopeValid CoA, company incorporated in India, permitted activities only
D2. Prudential & Net WorthMinimum net worth, net worth certification, maintenanceINR 15 cr at application, INR 25 cr by third FY, CA-certified
D3. Governance & Fit-and-ProperBoard, promoters, directors, policiesFit-and-proper declarations, KYC of promoters, board-approved policies
D4. Escrow & SettlementEscrow account, settlement timelines, fund flowsSingle escrow with scheduled bank, T+1/T+n settlement, no co-mingling
D5. Merchant Onboarding & Due DiligenceMerchant KYC, background check, risk categorisationMCC assignment, merchant BC/KYC, prohibited-merchant screening
D6. Customer Grievance & DisputeNodal officer, grievance policy, dispute redressalPublic grievance policy, escalation matrix, chargeback handling
D7. Data Storage & Card-on-FileCoF prohibition, tokenisation, data localisationNo storage of card credentials, tokenisation, RBI data-localisation
D8. Baseline Information SecuritySecurity governance, network, application, cryptographyIS policy, PCI DSS alignment, secure SDLC, encryption in transit/at rest
D9. Access Control & IdentityAuthentication, authorisation, privileged accessMFA, least privilege, PIM/PAM, session management
D10. Cyber & Fraud Risk ManagementFraud monitoring, transaction risk, velocity checksReal-time fraud detection, risk scoring, transaction limits
D11. Vulnerability & Audit AssuranceVAPT, system audit, CERT-In empanelled auditPeriodic VAPT, annual system audit, closure of findings
D12. Incident Response & BCPIR plan, breach reporting, business continuity, DRIR/CERT-In reporting within timelines, tested BCP/DR
D13. Outsourcing & Third-Party RiskVendor governance, PG/technology partner controlsOutsourcing policy, right-to-audit, PG contractual security clauses
D14. Reporting & Regulatory CompliancePeriodic returns, cyber-incident reporting, statutory auditReturns to RBI, incident reporting, compliance certifications

Master Assessment Checklist

This is the core of the guide. Each control family from the structure above is expanded into a set of verification points and the typical evidence an assessor should collect. Work through every group; do not skip a domain merely because it appears less relevant to a particular business model, as the RBI expects demonstrable coverage across the whole framework. Evidence should be current, dated, version-controlled and, where relevant, independently certified.

D1. Authorisation & Legal Status

What to verifyTypical evidence
Entity holds a valid RBI Certificate of Authorisation (or in-principle approval) for PA activity, or is a bank exempt from separate authorisationCopy of CoA / in-principle letter, RBI correspondence, entry in RBI list of authorised PAs
Entity is a company incorporated in India under the Companies ActCertificate of Incorporation, MoA/AoA, latest MCA master data
Business activities are confined to the permitted scope of the authorisationBusiness activity register, product catalogue mapped to CoA scope
Any change in management, control or activity has been reported to and approved by the RBI where requiredRBI approval letters for change-in-control, board resolutions

D2. Prudential & Net Worth

What to verifyTypical evidence
Net worth of at least INR 15 crore was demonstrated at the time of applicationCA-certified net worth certificate at application, audited financials
Net worth of INR 25 crore is achieved by the end of the third financial year and maintained thereafterLatest CA-certified net worth certificate, audited balance sheet
Net worth is computed correctly (paid-up capital plus free reserves, less specified deductions)Net worth computation working, auditor's basis of certification
The entity has a plan/capital to remain above threshold under stressCapital plan, board minutes on capital adequacy

D3. Governance & Fit-and-Proper

What to verifyTypical evidence
Promoters and directors satisfy fit-and-proper criteria and have submitted declarationsFit-and-proper declarations, director KYC, criminal/defaulter checks
Board has approved the key policies (information security, customer grievance, merchant onboarding, KYC/AML)Board-approved policy documents with approval dates and version control
A senior official is designated as compliance/nodal officer for the PA functionAppointment letter, org chart, published nodal officer contact
Governance structure includes risk and audit oversight for payment operationsCommittee charters, minutes of risk/audit committee meetings

D4. Escrow & Settlement

What to verifyTypical evidence
A single escrow account is maintained with a scheduled commercial bank exclusively for PA settlement fundsEscrow agreement, bank confirmation, account statements
Only permitted credits and debits flow through the escrow (no co-mingling with the entity's own funds)Escrow debit/credit matrix, reconciliation reports
Merchant settlements occur within the mandated timelines (e.g., Tp+1 for pre-funded, Ts+1 where applicable)Settlement logs, SLA definitions, settlement-timing MIS
Amounts held in escrow reconcile to merchant payables and outstanding transactions dailyDaily reconciliation statements, escrow balance vs payable report
Core portion of escrow is not used as working capital or for lendingFund-usage policy, treasury controls, audit confirmation

D5. Merchant Onboarding & Due Diligence

What to verifyTypical evidence
Merchants undergo KYC and background checks proportionate to risk before onboardingMerchant KYC records, background check reports, onboarding checklist
Merchant Category Codes (MCC) are correctly assigned and monitoredMCC assignment records, MCC monitoring reports
Prohibited, high-risk and restricted merchants are screened outProhibited-merchant list, screening tool output, sanctions checks
A merchant risk categorisation and ongoing monitoring process existsMerchant risk-scoring model, periodic review logs
Merchant agreements bind merchants to security, data and conduct obligationsExecuted merchant agreements with security/data clauses

D6. Customer Grievance & Dispute Resolution

What to verifyTypical evidence
A board-approved customer grievance redressal policy is published and accessiblePublished grievance policy, website disclosure, version history
A nodal/grievance officer is named with contact details on the websiteNodal officer details on website, appointment record
Grievances and disputes are logged, tracked and resolved within defined timelinesGrievance register, TAT MIS, ageing report
Chargeback and dispute handling processes align with network and RBI expectationsChargeback SOP, dispute logs, refund reconciliation
Escalation to the RBI Ombudsman/Integrated Ombudsman Scheme is disclosed to customersOmbudsman escalation disclosure on website and communications

D7. Data Storage & Card-on-File (CoF)

What to verifyTypical evidence
The PA and its merchants do not store full card credentials (CoF data) except the last four digits and card issuer name as permittedData-storage scan results, database schema review, DLP output
Tokenisation (CoFT) is used for recurring and stored-credential use casesTokenisation architecture, token vault evidence, network token records
Card and payment data is stored only within India (RBI data-localisation)Data-localisation attestation, hosting location evidence, architecture diagram
Purging of previously stored card data has been completed and evidencedPurge logs, deletion certificates, pre/post data scans
Sensitive authentication data (CVV/CVV2, full track, PIN) is never stored post-authorisationStorage scans, PCI DSS Requirement 3 evidence

D8. Baseline Information Security

What to verifyTypical evidence
A board-approved information security policy aligned to a recognised standard (e.g., PCI DSS, ISO 27001) is in forceIS policy document, standard-mapping matrix, board approval
The cardholder data environment is scoped, segmented and PCI DSS compliantPCI DSS AOC/ROC, network segmentation diagram, scope document
Secure SDLC practices govern application development and changeSDLC policy, code review records, change tickets, SAST/DAST reports
Data is encrypted in transit (TLS) and at rest using strong cryptographyTLS configuration, certificate inventory, encryption/key-management evidence
Security configuration hardening and patch management are applied to all systemsHardening baselines, patch compliance reports, configuration scans

D9. Access Control & Identity

What to verifyTypical evidence
Multi-factor authentication protects administrative and remote accessMFA configuration, enrolment reports, VPN/admin access policy
Access is granted on least-privilege and need-to-know principlesRBAC matrix, access-request approvals, access certifications
Privileged accounts are managed via a PAM/PIM solution with session monitoringPAM logs, privileged-session recordings, break-glass procedure
Joiner-mover-leaver process revokes access promptly on role change or exitJML records, deprovisioning logs, periodic access reviews
Session management, timeouts and password/passphrase policies are enforcedSession/timeout config, password policy, IdP settings

D10. Cyber & Fraud Risk Management

What to verifyTypical evidence
Real-time fraud monitoring and transaction risk scoring are operationalFraud engine configuration, rule sets, alert MIS
Velocity checks, transaction limits and anomaly detection are enforcedLimit configuration, velocity rules, anomaly reports
Suspicious transactions are investigated and reported per AML/CFT obligationsSTR/SAR records, investigation logs, FIU reporting where applicable
Fraud losses and trends are tracked and reported to managementFraud loss MIS, trend dashboards, management review minutes
Additional Factor of Authentication (AFA) is enforced where mandatedAFA/2FA configuration for card-not-present transactions

D11. Vulnerability & Audit Assurance

What to verifyTypical evidence
Periodic VAPT is performed on internet-facing and internal systemsVAPT reports, scope, retest evidence
An annual system audit is conducted by a CERT-In empanelled auditorCERT-In audit report, empanelment confirmation of auditor
Findings are risk-rated, tracked to closure and re-testedFindings tracker, closure evidence, remediation SLAs
Application security testing (SAST/DAST) is embedded in release cyclesSAST/DAST reports, pipeline integration evidence
A PCI DSS assessment (SAQ/ROC/AOC) is current and covers the CDEValid AOC/ROC, ASV scan reports

D12. Incident Response & Business Continuity

What to verifyTypical evidence
A documented, tested incident response plan exists with defined rolesIR plan, playbooks, tabletop/exercise reports
Cyber incidents are reported to CERT-In within the mandated timeline and to the RBI as requiredCERT-In reporting records, RBI incident notifications
A business continuity and disaster recovery plan is documented and testedBCP/DR plan, DR drill reports, RTO/RPO definitions
Backups are taken, secured and restore-tested periodicallyBackup schedule, restore-test logs, offsite/immutable backup evidence
Post-incident reviews drive corrective and preventive actionsPIR reports, CAPA tracker

D13. Outsourcing & Third-Party Risk

What to verifyTypical evidence
An outsourcing policy governs material technology and payment vendorsOutsourcing policy, vendor register with materiality ratings
Payment Gateway and other technology partners are contractually bound to security obligationsPG contracts with security/data/right-to-audit clauses
Vendor due diligence and periodic reassessment are performedVendor risk assessments, due-diligence questionnaires, reassessment logs
Right-to-audit and RBI access to vendor records is preserved contractuallyContract clauses granting audit and regulator access
Concentration and exit risk for critical vendors is managedBusiness continuity/exit plans for critical outsourcing

D14. Reporting & Regulatory Compliance

What to verifyTypical evidence
Periodic returns and data are submitted to the RBI accurately and on timeReturn submission records, acknowledgements, MIS
Statutory and compliance certifications are maintained and currentNet worth certificates, system audit reports, compliance certificate to RBI
Material changes (control, product, security posture) are notified to the RBIChange notification correspondence, board approvals
A compliance calendar tracks all regulatory obligations and due datesCompliance calendar, obligation register, status dashboard
Records are retained for the mandated retention periodsRetention policy, record inventory, retention evidence

Scoping the Assessment

Correct scoping determines both the cost and the credibility of a PA-PG assessment. The scope must encompass every system, process, third party and data flow involved in receiving payment instructions, authorising transactions, holding funds in escrow, and settling merchants. A common and costly error is to scope only the cardholder data environment (as one might for a narrow PCI DSS engagement) while omitting the escrow reconciliation systems, merchant onboarding platforms, grievance systems and reporting pipelines that the RBI framework equally cares about.

  • People: employees and contractors involved in payment operations, merchant onboarding, fraud, treasury/escrow, security and compliance.
  • Processes: transaction authorisation and routing, settlement and escrow reconciliation, merchant KYC, grievance handling, incident response and regulatory reporting.
  • Technology: the CDE, payment switch/gateway, token vault, merchant portal, escrow reconciliation systems, fraud engine, logging and monitoring stack.
  • Data: card and payment credentials, tokens, merchant KYC data, transaction records, settlement data and personal data subject to data-localisation.
  • Third parties: payment gateways, acquiring banks, escrow bank, cloud/hosting providers, KYC vendors and any outsourced operations centre.
  • Locations: data centres and cloud regions (must be within India for card/payment data), disaster recovery sites and any offshore support access paths.

Where a Payment Gateway (technology-only) is being assessed rather than a full PA, the scope narrows to the baseline security domains (D7 through D13) and the contractual controls that flow down from the authorised PA, but the assessor should confirm through data-flow analysis that the PG genuinely never touches settlement funds, otherwise it is a de facto PA.

Implementation Approach

A structured, phased programme moves an entity from an initial gap position to authorisation-readiness and sustained compliance. Each phase below lists indicative activities and the deliverables an assessor or programme manager should expect to see produced.

Phase 1: Discovery and Gap Assessment

  • Activities: map the entity against the PA vs PG definitions, inventory systems and data flows, and perform a control-by-control gap assessment across all fourteen domains.
  • Activities: assess net worth position, escrow arrangement and current security posture (including any existing PCI DSS status).
  • Deliverables: current-state data-flow diagrams, PA/PG classification memo, gap-assessment report with prioritised findings, indicative remediation budget.

Phase 2: Governance and Policy Foundation

  • Activities: draft and obtain board approval for the required policies (information security, KYC/AML, merchant onboarding, grievance redressal, outsourcing, incident response).
  • Activities: establish the escrow arrangement with a scheduled bank and define settlement timelines; appoint the nodal/compliance officer.
  • Deliverables: board-approved policy suite, escrow agreement, governance and committee structure, fit-and-proper declarations.

Phase 3: Technical and Security Remediation

  • Activities: remediate the CDE to PCI DSS, purge stored card data, implement tokenisation, enforce data-localisation, and close VAPT findings.
  • Activities: deploy MFA, PAM, fraud monitoring, logging/SIEM and encryption/key-management controls.
  • Deliverables: PCI DSS AOC/ROC, tokenisation implementation evidence, data-purge certificates, VAPT retest reports, hardened configuration baselines.

Phase 4: Operationalisation and Assurance

  • Activities: run the merchant onboarding, grievance, fraud and reconciliation processes in production and generate operating evidence; conduct a CERT-In empanelled system audit.
  • Activities: perform BCP/DR drills, incident-response tabletop exercises and internal audit of the framework.
  • Deliverables: CERT-In system audit report, DR drill and IR exercise reports, operating MIS, internal audit report.

Phase 5: Authorisation, Reporting and Continuous Compliance

  • Activities: compile and submit the authorisation application (or maintain authorisation), establish the compliance calendar, and file periodic RBI returns.
  • Activities: institute ongoing monitoring, annual re-audit and management review cycles.
  • Deliverables: RBI application/renewal pack, compliance calendar, periodic returns, annual assurance reports and management review minutes.

Maturity and Capability Model

Although the RBI framework is a pass/fail regulatory regime, a maturity model is invaluable for internal programme management, board reporting and prioritisation. The following five-level model can be applied to each of the fourteen domains to produce a heat-map of readiness.

LevelNameCharacteristics
1Initial / Ad hocNo formal PA/PG classification; controls informal or absent; significant regulatory exposure
2DevelopingKey policies drafted; escrow and PCI gaps identified; remediation planned but not complete
3DefinedPolicies board-approved; escrow live; PCI DSS achieved; core security controls operating
4ManagedControls measured with MIS/KPIs; CERT-In audit passed; findings closed within SLA; reporting timely
5OptimisedContinuous monitoring, automation, threat-informed fraud controls; proactive regulator engagement; sustained compliance

Assessment and Audit Approach

An auditor-grade engagement should follow a disciplined, evidence-led methodology so that conclusions are defensible before the RBI, the board and external auditors.

  1. Confirm classification: through data-flow analysis, determine whether the entity is a PA, a PG, a PA-CB or a hybrid, as this drives the applicable control set.
  2. Define and freeze scope: agree the systems, processes, data flows, locations and third parties in scope, and document exclusions with justification.
  3. Plan the assessment: build a control matrix mapping each of the fourteen domains to test procedures and required evidence.
  4. Collect documentation: obtain policies, agreements, certificates, prior audit reports and MIS ahead of fieldwork.
  5. Conduct interviews and walkthroughs: validate that documented processes reflect operating reality for escrow, onboarding, fraud, grievance and incident handling.
  6. Perform technical testing: review PCI DSS status, VAPT results, data-storage scans, tokenisation, access controls and encryption.
  7. Test settlement and escrow: reconcile escrow balances to merchant payables and verify settlement timeliness on a sample basis.
  8. Evaluate third parties: assess PG and other vendor contracts, due diligence and right-to-audit provisions.
  9. Rate and report findings: assign severity, map to domains, and produce a gap report with prioritised, time-bound remediation.
  10. Validate remediation: retest closed findings and issue a final assurance statement or readiness opinion, with a schedule for periodic re-assessment.

Evidence Request List

The following categorised list is the evidence an assessor should request. Providing this upfront materially accelerates fieldwork and reduces back-and-forth.

  • Authorisation and legal: Certificate of Authorisation or in-principle approval, Certificate of Incorporation, MoA/AoA, RBI correspondence.
  • Prudential: CA-certified net worth certificates (application and latest), audited financial statements, net worth computation working.
  • Governance: board-approved policies, committee charters and minutes, fit-and-proper declarations, nodal officer appointment.
  • Escrow and settlement: escrow agreement, bank confirmations, daily reconciliation statements, settlement-timing MIS.
  • Merchant: merchant onboarding checklist, sample KYC files, MCC assignment records, prohibited-merchant screening evidence, merchant agreements.
  • Grievance: published grievance policy, grievance register, TAT and ageing MIS, chargeback SOP.
  • Data and card security: data-storage scan results, tokenisation architecture and vault evidence, data-purge certificates, data-localisation attestation.
  • Information security: IS policy, PCI DSS ROC/AOC and ASV scans, network diagrams, hardening baselines, patch reports.
  • Access and identity: RBAC matrix, MFA and PAM configuration, access-review and JML records.
  • Fraud and cyber risk: fraud engine rules, alert and loss MIS, AFA configuration, AML/STR records.
  • Assurance: VAPT reports and retests, CERT-In empanelled system audit report, SAST/DAST reports.
  • Resilience: IR plan and exercise reports, BCP/DR plan and drill reports, backup and restore-test logs.
  • Third party: outsourcing policy, vendor register, PG contracts, vendor risk assessments.
  • Reporting: RBI return submissions and acknowledgements, compliance calendar, incident-reporting records, retention policy.

Roles and Responsibilities

Clear accountability across the RACI dimensions is essential; the RBI expects named ownership for each obligation, not diffuse responsibility.

RolePrimary responsibilities
Board of DirectorsApprove policies, oversee risk appetite, ensure fit-and-proper compliance and capital adequacy
Managing Director / CEOOverall accountability for authorisation, compliance posture and regulatory relationship
Chief Compliance / Nodal OfficerOwn regulatory obligations, returns, grievance oversight and RBI liaison
Chief Information Security OfficerOwn IS policy, PCI DSS, VAPT, incident response and security control operation
Head of Payments / OperationsOwn escrow, settlement, reconciliation and merchant onboarding processes
Chief Risk OfficerOwn fraud, transaction risk, third-party risk and risk reporting
Chief Financial OfficerOwn net worth maintenance, escrow financial controls and statutory audit
Internal AuditIndependently assure the framework and validate remediation
Data Protection / Privacy LeadOwn data-localisation, retention and personal-data handling obligations

KPIs to Track

  • Net worth headroom above the applicable INR 15/25 crore threshold, reported quarterly.
  • Percentage of merchant settlements completed within the mandated timeline (Tp+1/Ts+1).
  • Daily escrow reconciliation break count and time-to-resolution.
  • Merchant onboarding KYC completion rate and pending-KYC ageing.
  • Grievance resolution turnaround time and percentage resolved within SLA.
  • Fraud rate (basis points of transaction value) and net fraud loss trend.
  • Percentage of card data purged and share of transactions using tokenised credentials.
  • VAPT and system-audit findings: count, severity mix and mean-time-to-remediate.
  • PCI DSS control compliance percentage and days to AOC/ROC renewal.
  • Cyber-incident reporting timeliness against CERT-In/RBI deadlines.
  • Third-party/vendor reassessments completed on schedule.
  • Regulatory returns filed on time as a percentage of total due.

Readiness Checklist

  • Entity correctly classified as PA, PG or PA-CB with data-flow evidence.
  • Valid RBI Certificate of Authorisation held or application prepared.
  • Net worth of at least the applicable threshold demonstrated and CA-certified.
  • Single dedicated escrow account established with a scheduled commercial bank.
  • Merchant settlements consistently within mandated timelines.
  • Board-approved policy suite in force with version control.
  • Merchant KYC, MCC assignment and prohibited-merchant screening operating.
  • Grievance policy published with named nodal officer and Ombudsman disclosure.
  • No card credentials stored beyond permitted fields; tokenisation live.
  • Card and payment data localised within India with attestation.
  • Current PCI DSS AOC/ROC covering the cardholder data environment.
  • MFA, least privilege and PAM enforced for privileged access.
  • Real-time fraud monitoring and AFA operating.
  • Periodic VAPT and a CERT-In empanelled system audit completed with findings closed.
  • Tested incident response, BCP and DR plans with CERT-In/RBI reporting readiness.
  • Outsourcing and PG contracts carry security, data-localisation and right-to-audit clauses.
  • Compliance calendar in place and periodic RBI returns filed on time.

Common Gaps

  • Mis-classification: operating as a de facto PA (touching settlement funds) while claiming to be a technology-only PG to avoid authorisation.
  • Escrow discipline failures: co-mingling merchant funds with own funds, or breaching settlement timelines.
  • Residual card data: incomplete purge of previously stored CoF/card data despite the storage prohibition.
  • Weak tokenisation adoption: recurring and stored-credential flows still relying on raw PAN.
  • Data-localisation gaps: card or payment data processed or stored, even transiently, outside India via cloud regions or offshore support.
  • Stale assurance: PCI DSS AOC or CERT-In system audit lapsed, or findings left open beyond SLA.
  • Thin merchant due diligence: superficial KYC and no ongoing risk monitoring or MCC governance.
  • Governance gaps: policies not board-approved, no named nodal officer, or missing fit-and-proper declarations.
  • Vendor blind spots: PG and cloud contracts lacking right-to-audit, security and RBI-access clauses.
  • Reporting lapses: late or inaccurate RBI returns and missed cyber-incident reporting deadlines.
  • Fraud control gaps: absent velocity checks, AFA not enforced for card-not-present, or unmonitored fraud losses.

RBI PA-PG Guidelines Mapped to Other Frameworks

Because much of the PA-PG security expectation is expressed by reference to established baselines, an entity can reuse control evidence across multiple frameworks. The mapping below highlights the principal correspondences an assessor can leverage.

RBI PA-PG domainPCI DSSISO/IEC 27001CERT-In / NIST CSF
Data Storage & CoF (D7)Req 3 - Protect stored account dataA.5.34 / A.8.11 data masking & protectionProtect - Data Security (PR.DS)
Baseline Information Security (D8)Req 1,2,4,6 - Network, config, crypto, secure SDLCA.8 Technological controlsProtect (PR.IP/PR.PT)
Access Control & Identity (D9)Req 7,8 - Access control & authenticationA.5.15-A.5.18, A.8.2-A.8.5Protect - Identity Mgmt & Access (PR.AC)
Cyber & Fraud Risk (D10)Req 5,11 - Malware, testing; fraud via AFAA.5.7 threat intel, A.8.16 monitoringDetect (DE.AE/DE.CM)
Vulnerability & Audit (D11)Req 6,11 - Vuln mgmt & testingA.8.8 technical vulnerability mgmtIdentify/Detect (ID.RA, DE.CM)
Incident Response & BCP (D12)Req 12.10 - Incident responseA.5.24-A.5.30 incident & continuityRespond & Recover (RS/RC)
Outsourcing & Third Party (D13)Req 12.8 - Service provider managementA.5.19-A.5.23 supplier relationshipsIdentify - Supply Chain (ID.SC)
Governance & Compliance (D3/D14)Req 12 - Security policy & governanceA.5.1-A.5.6 organisational controlsGovern (GV) / Identify (ID.GV)
How CyberSigma Helps
CyberSigma is a CERT-In empanelled cybersecurity and compliance partner with deep specialisation in India's payments regulatory landscape. We support Payment Aggregators, Payment Gateways and cross-border PA-CB applicants across the full lifecycle: PA/PG classification and data-flow analysis, RBI authorisation readiness, gap assessment across all fourteen domains, PCI DSS QSA services, tokenisation and CoF-purge validation, data-localisation assurance, VAPT, CERT-In empanelled system audits, and the design of escrow, merchant onboarding, grievance and reporting controls. Our integrated approach lets you reuse a single body of evidence across RBI PA-PG, PCI DSS, ISO 27001 and CERT-In obligations, cutting duplication and accelerating time to authorisation. Engage CyberSigma to move from uncertainty to a defensible, audit-ready and continuously compliant payments operation.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Who can perform the payment aggregator System Audit?
The System Audit Report must be carried out by a CERT-In empanelled auditor. CyberSigma is CERT-In empanelled and PCI QSA authorised.
Do payment aggregators need PCI DSS?
Yes — handling card data brings PCI DSS into scope, and the PA-PG guidelines expect a PCI DSS-compliant posture alongside the RBI requirements.

Need help with RBI PA-PG Guidelines?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.