Introduction: The RBI PA-PG Guidelines and Why They Matter
The Reserve Bank of India (RBI) Guidelines on Regulation of Payment Aggregators and Payment Gateways, first issued on 17 March 2020 (circular DPSS.CO.PD.No.1810/02.14.008/2019-20) and progressively amended through subsequent circulars, fundamentally reshaped how online payment intermediaries are supervised in India. For the first time, entities that had operated in a lightly regulated grey zone, holding merchant funds, routing card and account credentials, and settling proceeds, were brought squarely under the direct authorisation and prudential oversight of the RBI under the Payment and Settlement Systems Act, 2007 (PSS Act).
The guidelines draw a clear regulatory line between two roles that historically overlapped. Payment Aggregators (PAs) are entities that onboard merchants, receive payment instructions from customers on behalf of those merchants, pool the collected funds into an escrow account, and settle net proceeds to merchants after a defined period. Because PAs handle and control the flow of money, they require RBI authorisation and must maintain minimum net worth thresholds. Payment Gateways (PGs), by contrast, provide the technology to route and facilitate a transaction between the merchant, the acquirer and the payment networks, but do not handle settlement funds; they are treated as technology providers or outsourcing partners and are subject to the baseline security guidelines rather than the authorisation and net-worth regime.
This distinction is central to every compliance exercise. An entity that touches settlement money is a PA and carries the full regulatory burden, including escrow discipline, governance, merchant due diligence, data storage restrictions and periodic reporting to the RBI. An entity that only routes technical messages is a PG and must chiefly satisfy the baseline technology and security recommendations. The 2021 and later amendments extended the framework to Payment Aggregators for Cross-Border transactions (PA-CB, via the October 2023 circular) and, through the RBI's tokenisation and Card-on-File (CoF) mandates, tightened the rules around card data storage. This guide provides an auditor-grade, end-to-end interpretation of the PA-PG framework as it applies to entities operating in India, structured so that a compliance team, an internal audit function or an external assessor can plan, execute and evidence a full readiness assessment.
Regulatory Source and Copyright Note
The RBI PA-PG Guidelines and associated circulars are official regulatory instruments issued by the Reserve Bank of India and are freely available on rbi.org.in. This CyberSigma Knowledge Center guide is an original interpretive and advisory work. It paraphrases regulatory obligations for practitioner use and does not reproduce the verbatim text of any RBI circular. Always read this guide alongside the current, authoritative RBI circulars and any subsequent Master Directions, FAQs or clarifications, as the framework is periodically updated. Where a specific numeric threshold or date is decision-critical, verify it against the latest RBI notification.
What Are the RBI PA-PG Guidelines
The RBI PA-PG Guidelines are a principles-plus-prescriptions regulatory framework that governs the authorisation, capital adequacy, governance, conduct, data security and settlement discipline of online payment intermediaries. They are not a voluntary standard like ISO 27001; they are binding regulatory requirements enforced by the RBI, and non-compliance can result in refusal or revocation of authorisation, monetary penalties, directions to wind down operations, and reputational consequences for the entity's directors and promoters.
The framework operates across several intertwined dimensions. First, it establishes an authorisation regime: existing non-bank PAs had to apply for authorisation, and new PAs must obtain a Certificate of Authorisation before commencing operations. Bank PAs do not require separate authorisation as the activity is treated as part of normal banking business, but they must comply with the operative instructions. Second, it imposes prudential requirements, most notably a minimum net worth of INR 15 crore at the time of application, rising to INR 25 crore by the end of the third financial year and to be maintained thereafter. Third, it prescribes governance and fit-and-proper standards for promoters and directors. Fourth, it mandates escrow-based fund management with strict timelines for merchant settlement. Fifth, it sets out merchant onboarding, KYC and due-diligence obligations. Sixth, it imposes baseline technology and security requirements covering the entire card and payment data lifecycle, including the prohibition on PAs and merchants storing customer card credentials (CoF data) beyond the limited exceptions permitted, and the promotion of tokenisation.
Crucially, the security recommendations of the guidelines are risk-proportionate and reference established baselines. They expect PAs and PGs to align with recognised security standards such as PCI DSS, to conduct regular vulnerability assessment and penetration testing (VAPT), to obtain periodic system audits from CERT-In empanelled auditors, and to implement fraud prevention, incident response and business continuity controls. This is why a PA-PG readiness engagement frequently runs alongside a PCI DSS assessment and a CERT-In system audit; the three exercises share substantial control overlap.
Who Must Comply
Applicability turns on the role an entity plays in the payment flow and whether it handles settlement funds. The following table summarises the principal categories of entities and the extent of their obligations under the framework.
| Entity type | Regulatory treatment | Key obligations |
|---|
| Non-bank Payment Aggregator (domestic) | Requires RBI authorisation under the PSS Act | Full framework: authorisation, net worth, governance, escrow, merchant KYC, data storage restrictions, security audit, reporting |
| Bank Payment Aggregator | No separate authorisation; activity treated as part of banking business | Must follow escrow-equivalent settlement discipline, merchant due diligence, and baseline security instructions |
| Payment Gateway (technology-only) | Treated as technology provider / outsourcing partner; not authorised as PA | Baseline technology and security guidelines; no escrow or net-worth requirement, but bound via contract with the PA |
| Payment Aggregator - Cross Border (PA-CB) | Requires specific RBI approval under the October 2023 PA-CB circular | Import/Export/both categories, net worth, AD Category-I bank account, IEC, merchant and transaction limits |
| E-commerce marketplace acting as intermediary | May be deemed a PA if it collects and settles funds for third-party sellers | Must either obtain PA authorisation or route settlements through an authorised PA |
| Merchant accepting online payments | Not a PA, but bound by PA-imposed obligations | Prohibited from storing CoF/card data; must accept tokenisation; subject to PA onboarding checks |
- Any non-bank entity that onboards merchants and pools customer funds before settling them is a Payment Aggregator and must be authorised.
- Pure technology routers that never touch settlement money are Payment Gateways and follow the baseline security guidelines only.
- Cross-border collection and settlement (import/export payments) falls under the separate PA-CB approval track with its own thresholds.
- Marketplaces that centralise collection for multiple independent sellers are frequently caught by the PA definition and cannot rely on a technology-provider exemption.
- Banks providing aggregation do not need a fresh authorisation but are not exempt from the conduct and security expectations.
Structure of the RBI PA-PG Guidelines
For assessment purposes it is helpful to decompose the framework into logical domains. The RBI circulars do not present a formal numbered control catalogue in the way ISO 27001 Annex A or the PCI DSS requirements do; instead the obligations are distributed across the body of the guidelines and their annex on baseline technology-related recommendations. The table below organises those obligations into assessable domains and control families that an auditor can systematically test.
| Domain | Control family | Illustrative scope |
|---|
| D1. Authorisation & Legal Status | Certificate of Authorisation, incorporation, activity scope | Valid CoA, company incorporated in India, permitted activities only |
| D2. Prudential & Net Worth | Minimum net worth, net worth certification, maintenance | INR 15 cr at application, INR 25 cr by third FY, CA-certified |
| D3. Governance & Fit-and-Proper | Board, promoters, directors, policies | Fit-and-proper declarations, KYC of promoters, board-approved policies |
| D4. Escrow & Settlement | Escrow account, settlement timelines, fund flows | Single escrow with scheduled bank, T+1/T+n settlement, no co-mingling |
| D5. Merchant Onboarding & Due Diligence | Merchant KYC, background check, risk categorisation | MCC assignment, merchant BC/KYC, prohibited-merchant screening |
| D6. Customer Grievance & Dispute | Nodal officer, grievance policy, dispute redressal | Public grievance policy, escalation matrix, chargeback handling |
| D7. Data Storage & Card-on-File | CoF prohibition, tokenisation, data localisation | No storage of card credentials, tokenisation, RBI data-localisation |
| D8. Baseline Information Security | Security governance, network, application, cryptography | IS policy, PCI DSS alignment, secure SDLC, encryption in transit/at rest |
| D9. Access Control & Identity | Authentication, authorisation, privileged access | MFA, least privilege, PIM/PAM, session management |
| D10. Cyber & Fraud Risk Management | Fraud monitoring, transaction risk, velocity checks | Real-time fraud detection, risk scoring, transaction limits |
| D11. Vulnerability & Audit Assurance | VAPT, system audit, CERT-In empanelled audit | Periodic VAPT, annual system audit, closure of findings |
| D12. Incident Response & BCP | IR plan, breach reporting, business continuity, DR | IR/CERT-In reporting within timelines, tested BCP/DR |
| D13. Outsourcing & Third-Party Risk | Vendor governance, PG/technology partner controls | Outsourcing policy, right-to-audit, PG contractual security clauses |
| D14. Reporting & Regulatory Compliance | Periodic returns, cyber-incident reporting, statutory audit | Returns to RBI, incident reporting, compliance certifications |
Master Assessment Checklist
This is the core of the guide. Each control family from the structure above is expanded into a set of verification points and the typical evidence an assessor should collect. Work through every group; do not skip a domain merely because it appears less relevant to a particular business model, as the RBI expects demonstrable coverage across the whole framework. Evidence should be current, dated, version-controlled and, where relevant, independently certified.
D1. Authorisation & Legal Status
| What to verify | Typical evidence |
|---|
| Entity holds a valid RBI Certificate of Authorisation (or in-principle approval) for PA activity, or is a bank exempt from separate authorisation | Copy of CoA / in-principle letter, RBI correspondence, entry in RBI list of authorised PAs |
| Entity is a company incorporated in India under the Companies Act | Certificate of Incorporation, MoA/AoA, latest MCA master data |
| Business activities are confined to the permitted scope of the authorisation | Business activity register, product catalogue mapped to CoA scope |
| Any change in management, control or activity has been reported to and approved by the RBI where required | RBI approval letters for change-in-control, board resolutions |
D2. Prudential & Net Worth
| What to verify | Typical evidence |
|---|
| Net worth of at least INR 15 crore was demonstrated at the time of application | CA-certified net worth certificate at application, audited financials |
| Net worth of INR 25 crore is achieved by the end of the third financial year and maintained thereafter | Latest CA-certified net worth certificate, audited balance sheet |
| Net worth is computed correctly (paid-up capital plus free reserves, less specified deductions) | Net worth computation working, auditor's basis of certification |
| The entity has a plan/capital to remain above threshold under stress | Capital plan, board minutes on capital adequacy |
D3. Governance & Fit-and-Proper
| What to verify | Typical evidence |
|---|
| Promoters and directors satisfy fit-and-proper criteria and have submitted declarations | Fit-and-proper declarations, director KYC, criminal/defaulter checks |
| Board has approved the key policies (information security, customer grievance, merchant onboarding, KYC/AML) | Board-approved policy documents with approval dates and version control |
| A senior official is designated as compliance/nodal officer for the PA function | Appointment letter, org chart, published nodal officer contact |
| Governance structure includes risk and audit oversight for payment operations | Committee charters, minutes of risk/audit committee meetings |
D4. Escrow & Settlement
| What to verify | Typical evidence |
|---|
| A single escrow account is maintained with a scheduled commercial bank exclusively for PA settlement funds | Escrow agreement, bank confirmation, account statements |
| Only permitted credits and debits flow through the escrow (no co-mingling with the entity's own funds) | Escrow debit/credit matrix, reconciliation reports |
| Merchant settlements occur within the mandated timelines (e.g., Tp+1 for pre-funded, Ts+1 where applicable) | Settlement logs, SLA definitions, settlement-timing MIS |
| Amounts held in escrow reconcile to merchant payables and outstanding transactions daily | Daily reconciliation statements, escrow balance vs payable report |
| Core portion of escrow is not used as working capital or for lending | Fund-usage policy, treasury controls, audit confirmation |
D5. Merchant Onboarding & Due Diligence
| What to verify | Typical evidence |
|---|
| Merchants undergo KYC and background checks proportionate to risk before onboarding | Merchant KYC records, background check reports, onboarding checklist |
| Merchant Category Codes (MCC) are correctly assigned and monitored | MCC assignment records, MCC monitoring reports |
| Prohibited, high-risk and restricted merchants are screened out | Prohibited-merchant list, screening tool output, sanctions checks |
| A merchant risk categorisation and ongoing monitoring process exists | Merchant risk-scoring model, periodic review logs |
| Merchant agreements bind merchants to security, data and conduct obligations | Executed merchant agreements with security/data clauses |
D6. Customer Grievance & Dispute Resolution
| What to verify | Typical evidence |
|---|
| A board-approved customer grievance redressal policy is published and accessible | Published grievance policy, website disclosure, version history |
| A nodal/grievance officer is named with contact details on the website | Nodal officer details on website, appointment record |
| Grievances and disputes are logged, tracked and resolved within defined timelines | Grievance register, TAT MIS, ageing report |
| Chargeback and dispute handling processes align with network and RBI expectations | Chargeback SOP, dispute logs, refund reconciliation |
| Escalation to the RBI Ombudsman/Integrated Ombudsman Scheme is disclosed to customers | Ombudsman escalation disclosure on website and communications |
D7. Data Storage & Card-on-File (CoF)
| What to verify | Typical evidence |
|---|
| The PA and its merchants do not store full card credentials (CoF data) except the last four digits and card issuer name as permitted | Data-storage scan results, database schema review, DLP output |
| Tokenisation (CoFT) is used for recurring and stored-credential use cases | Tokenisation architecture, token vault evidence, network token records |
| Card and payment data is stored only within India (RBI data-localisation) | Data-localisation attestation, hosting location evidence, architecture diagram |
| Purging of previously stored card data has been completed and evidenced | Purge logs, deletion certificates, pre/post data scans |
| Sensitive authentication data (CVV/CVV2, full track, PIN) is never stored post-authorisation | Storage scans, PCI DSS Requirement 3 evidence |
D8. Baseline Information Security
| What to verify | Typical evidence |
|---|
| A board-approved information security policy aligned to a recognised standard (e.g., PCI DSS, ISO 27001) is in force | IS policy document, standard-mapping matrix, board approval |
| The cardholder data environment is scoped, segmented and PCI DSS compliant | PCI DSS AOC/ROC, network segmentation diagram, scope document |
| Secure SDLC practices govern application development and change | SDLC policy, code review records, change tickets, SAST/DAST reports |
| Data is encrypted in transit (TLS) and at rest using strong cryptography | TLS configuration, certificate inventory, encryption/key-management evidence |
| Security configuration hardening and patch management are applied to all systems | Hardening baselines, patch compliance reports, configuration scans |
D9. Access Control & Identity
| What to verify | Typical evidence |
|---|
| Multi-factor authentication protects administrative and remote access | MFA configuration, enrolment reports, VPN/admin access policy |
| Access is granted on least-privilege and need-to-know principles | RBAC matrix, access-request approvals, access certifications |
| Privileged accounts are managed via a PAM/PIM solution with session monitoring | PAM logs, privileged-session recordings, break-glass procedure |
| Joiner-mover-leaver process revokes access promptly on role change or exit | JML records, deprovisioning logs, periodic access reviews |
| Session management, timeouts and password/passphrase policies are enforced | Session/timeout config, password policy, IdP settings |
D10. Cyber & Fraud Risk Management
| What to verify | Typical evidence |
|---|
| Real-time fraud monitoring and transaction risk scoring are operational | Fraud engine configuration, rule sets, alert MIS |
| Velocity checks, transaction limits and anomaly detection are enforced | Limit configuration, velocity rules, anomaly reports |
| Suspicious transactions are investigated and reported per AML/CFT obligations | STR/SAR records, investigation logs, FIU reporting where applicable |
| Fraud losses and trends are tracked and reported to management | Fraud loss MIS, trend dashboards, management review minutes |
| Additional Factor of Authentication (AFA) is enforced where mandated | AFA/2FA configuration for card-not-present transactions |
D11. Vulnerability & Audit Assurance
| What to verify | Typical evidence |
|---|
| Periodic VAPT is performed on internet-facing and internal systems | VAPT reports, scope, retest evidence |
| An annual system audit is conducted by a CERT-In empanelled auditor | CERT-In audit report, empanelment confirmation of auditor |
| Findings are risk-rated, tracked to closure and re-tested | Findings tracker, closure evidence, remediation SLAs |
| Application security testing (SAST/DAST) is embedded in release cycles | SAST/DAST reports, pipeline integration evidence |
| A PCI DSS assessment (SAQ/ROC/AOC) is current and covers the CDE | Valid AOC/ROC, ASV scan reports |
D12. Incident Response & Business Continuity
| What to verify | Typical evidence |
|---|
| A documented, tested incident response plan exists with defined roles | IR plan, playbooks, tabletop/exercise reports |
| Cyber incidents are reported to CERT-In within the mandated timeline and to the RBI as required | CERT-In reporting records, RBI incident notifications |
| A business continuity and disaster recovery plan is documented and tested | BCP/DR plan, DR drill reports, RTO/RPO definitions |
| Backups are taken, secured and restore-tested periodically | Backup schedule, restore-test logs, offsite/immutable backup evidence |
| Post-incident reviews drive corrective and preventive actions | PIR reports, CAPA tracker |
D13. Outsourcing & Third-Party Risk
| What to verify | Typical evidence |
|---|
| An outsourcing policy governs material technology and payment vendors | Outsourcing policy, vendor register with materiality ratings |
| Payment Gateway and other technology partners are contractually bound to security obligations | PG contracts with security/data/right-to-audit clauses |
| Vendor due diligence and periodic reassessment are performed | Vendor risk assessments, due-diligence questionnaires, reassessment logs |
| Right-to-audit and RBI access to vendor records is preserved contractually | Contract clauses granting audit and regulator access |
| Concentration and exit risk for critical vendors is managed | Business continuity/exit plans for critical outsourcing |
D14. Reporting & Regulatory Compliance
| What to verify | Typical evidence |
|---|
| Periodic returns and data are submitted to the RBI accurately and on time | Return submission records, acknowledgements, MIS |
| Statutory and compliance certifications are maintained and current | Net worth certificates, system audit reports, compliance certificate to RBI |
| Material changes (control, product, security posture) are notified to the RBI | Change notification correspondence, board approvals |
| A compliance calendar tracks all regulatory obligations and due dates | Compliance calendar, obligation register, status dashboard |
| Records are retained for the mandated retention periods | Retention policy, record inventory, retention evidence |
Scoping the Assessment
Correct scoping determines both the cost and the credibility of a PA-PG assessment. The scope must encompass every system, process, third party and data flow involved in receiving payment instructions, authorising transactions, holding funds in escrow, and settling merchants. A common and costly error is to scope only the cardholder data environment (as one might for a narrow PCI DSS engagement) while omitting the escrow reconciliation systems, merchant onboarding platforms, grievance systems and reporting pipelines that the RBI framework equally cares about.
- People: employees and contractors involved in payment operations, merchant onboarding, fraud, treasury/escrow, security and compliance.
- Processes: transaction authorisation and routing, settlement and escrow reconciliation, merchant KYC, grievance handling, incident response and regulatory reporting.
- Technology: the CDE, payment switch/gateway, token vault, merchant portal, escrow reconciliation systems, fraud engine, logging and monitoring stack.
- Data: card and payment credentials, tokens, merchant KYC data, transaction records, settlement data and personal data subject to data-localisation.
- Third parties: payment gateways, acquiring banks, escrow bank, cloud/hosting providers, KYC vendors and any outsourced operations centre.
- Locations: data centres and cloud regions (must be within India for card/payment data), disaster recovery sites and any offshore support access paths.
Where a Payment Gateway (technology-only) is being assessed rather than a full PA, the scope narrows to the baseline security domains (D7 through D13) and the contractual controls that flow down from the authorised PA, but the assessor should confirm through data-flow analysis that the PG genuinely never touches settlement funds, otherwise it is a de facto PA.
Implementation Approach
A structured, phased programme moves an entity from an initial gap position to authorisation-readiness and sustained compliance. Each phase below lists indicative activities and the deliverables an assessor or programme manager should expect to see produced.
Phase 1: Discovery and Gap Assessment
- Activities: map the entity against the PA vs PG definitions, inventory systems and data flows, and perform a control-by-control gap assessment across all fourteen domains.
- Activities: assess net worth position, escrow arrangement and current security posture (including any existing PCI DSS status).
- Deliverables: current-state data-flow diagrams, PA/PG classification memo, gap-assessment report with prioritised findings, indicative remediation budget.
Phase 2: Governance and Policy Foundation
- Activities: draft and obtain board approval for the required policies (information security, KYC/AML, merchant onboarding, grievance redressal, outsourcing, incident response).
- Activities: establish the escrow arrangement with a scheduled bank and define settlement timelines; appoint the nodal/compliance officer.
- Deliverables: board-approved policy suite, escrow agreement, governance and committee structure, fit-and-proper declarations.
Phase 3: Technical and Security Remediation
- Activities: remediate the CDE to PCI DSS, purge stored card data, implement tokenisation, enforce data-localisation, and close VAPT findings.
- Activities: deploy MFA, PAM, fraud monitoring, logging/SIEM and encryption/key-management controls.
- Deliverables: PCI DSS AOC/ROC, tokenisation implementation evidence, data-purge certificates, VAPT retest reports, hardened configuration baselines.
Phase 4: Operationalisation and Assurance
- Activities: run the merchant onboarding, grievance, fraud and reconciliation processes in production and generate operating evidence; conduct a CERT-In empanelled system audit.
- Activities: perform BCP/DR drills, incident-response tabletop exercises and internal audit of the framework.
- Deliverables: CERT-In system audit report, DR drill and IR exercise reports, operating MIS, internal audit report.
Phase 5: Authorisation, Reporting and Continuous Compliance
- Activities: compile and submit the authorisation application (or maintain authorisation), establish the compliance calendar, and file periodic RBI returns.
- Activities: institute ongoing monitoring, annual re-audit and management review cycles.
- Deliverables: RBI application/renewal pack, compliance calendar, periodic returns, annual assurance reports and management review minutes.
Maturity and Capability Model
Although the RBI framework is a pass/fail regulatory regime, a maturity model is invaluable for internal programme management, board reporting and prioritisation. The following five-level model can be applied to each of the fourteen domains to produce a heat-map of readiness.
| Level | Name | Characteristics |
|---|
| 1 | Initial / Ad hoc | No formal PA/PG classification; controls informal or absent; significant regulatory exposure |
| 2 | Developing | Key policies drafted; escrow and PCI gaps identified; remediation planned but not complete |
| 3 | Defined | Policies board-approved; escrow live; PCI DSS achieved; core security controls operating |
| 4 | Managed | Controls measured with MIS/KPIs; CERT-In audit passed; findings closed within SLA; reporting timely |
| 5 | Optimised | Continuous monitoring, automation, threat-informed fraud controls; proactive regulator engagement; sustained compliance |
Assessment and Audit Approach
An auditor-grade engagement should follow a disciplined, evidence-led methodology so that conclusions are defensible before the RBI, the board and external auditors.
- Confirm classification: through data-flow analysis, determine whether the entity is a PA, a PG, a PA-CB or a hybrid, as this drives the applicable control set.
- Define and freeze scope: agree the systems, processes, data flows, locations and third parties in scope, and document exclusions with justification.
- Plan the assessment: build a control matrix mapping each of the fourteen domains to test procedures and required evidence.
- Collect documentation: obtain policies, agreements, certificates, prior audit reports and MIS ahead of fieldwork.
- Conduct interviews and walkthroughs: validate that documented processes reflect operating reality for escrow, onboarding, fraud, grievance and incident handling.
- Perform technical testing: review PCI DSS status, VAPT results, data-storage scans, tokenisation, access controls and encryption.
- Test settlement and escrow: reconcile escrow balances to merchant payables and verify settlement timeliness on a sample basis.
- Evaluate third parties: assess PG and other vendor contracts, due diligence and right-to-audit provisions.
- Rate and report findings: assign severity, map to domains, and produce a gap report with prioritised, time-bound remediation.
- Validate remediation: retest closed findings and issue a final assurance statement or readiness opinion, with a schedule for periodic re-assessment.
Evidence Request List
The following categorised list is the evidence an assessor should request. Providing this upfront materially accelerates fieldwork and reduces back-and-forth.
- Authorisation and legal: Certificate of Authorisation or in-principle approval, Certificate of Incorporation, MoA/AoA, RBI correspondence.
- Prudential: CA-certified net worth certificates (application and latest), audited financial statements, net worth computation working.
- Governance: board-approved policies, committee charters and minutes, fit-and-proper declarations, nodal officer appointment.
- Escrow and settlement: escrow agreement, bank confirmations, daily reconciliation statements, settlement-timing MIS.
- Merchant: merchant onboarding checklist, sample KYC files, MCC assignment records, prohibited-merchant screening evidence, merchant agreements.
- Grievance: published grievance policy, grievance register, TAT and ageing MIS, chargeback SOP.
- Data and card security: data-storage scan results, tokenisation architecture and vault evidence, data-purge certificates, data-localisation attestation.
- Information security: IS policy, PCI DSS ROC/AOC and ASV scans, network diagrams, hardening baselines, patch reports.
- Access and identity: RBAC matrix, MFA and PAM configuration, access-review and JML records.
- Fraud and cyber risk: fraud engine rules, alert and loss MIS, AFA configuration, AML/STR records.
- Assurance: VAPT reports and retests, CERT-In empanelled system audit report, SAST/DAST reports.
- Resilience: IR plan and exercise reports, BCP/DR plan and drill reports, backup and restore-test logs.
- Third party: outsourcing policy, vendor register, PG contracts, vendor risk assessments.
- Reporting: RBI return submissions and acknowledgements, compliance calendar, incident-reporting records, retention policy.
Roles and Responsibilities
Clear accountability across the RACI dimensions is essential; the RBI expects named ownership for each obligation, not diffuse responsibility.
| Role | Primary responsibilities |
|---|
| Board of Directors | Approve policies, oversee risk appetite, ensure fit-and-proper compliance and capital adequacy |
| Managing Director / CEO | Overall accountability for authorisation, compliance posture and regulatory relationship |
| Chief Compliance / Nodal Officer | Own regulatory obligations, returns, grievance oversight and RBI liaison |
| Chief Information Security Officer | Own IS policy, PCI DSS, VAPT, incident response and security control operation |
| Head of Payments / Operations | Own escrow, settlement, reconciliation and merchant onboarding processes |
| Chief Risk Officer | Own fraud, transaction risk, third-party risk and risk reporting |
| Chief Financial Officer | Own net worth maintenance, escrow financial controls and statutory audit |
| Internal Audit | Independently assure the framework and validate remediation |
| Data Protection / Privacy Lead | Own data-localisation, retention and personal-data handling obligations |
KPIs to Track
- Net worth headroom above the applicable INR 15/25 crore threshold, reported quarterly.
- Percentage of merchant settlements completed within the mandated timeline (Tp+1/Ts+1).
- Daily escrow reconciliation break count and time-to-resolution.
- Merchant onboarding KYC completion rate and pending-KYC ageing.
- Grievance resolution turnaround time and percentage resolved within SLA.
- Fraud rate (basis points of transaction value) and net fraud loss trend.
- Percentage of card data purged and share of transactions using tokenised credentials.
- VAPT and system-audit findings: count, severity mix and mean-time-to-remediate.
- PCI DSS control compliance percentage and days to AOC/ROC renewal.
- Cyber-incident reporting timeliness against CERT-In/RBI deadlines.
- Third-party/vendor reassessments completed on schedule.
- Regulatory returns filed on time as a percentage of total due.
Readiness Checklist
- Entity correctly classified as PA, PG or PA-CB with data-flow evidence.
- Valid RBI Certificate of Authorisation held or application prepared.
- Net worth of at least the applicable threshold demonstrated and CA-certified.
- Single dedicated escrow account established with a scheduled commercial bank.
- Merchant settlements consistently within mandated timelines.
- Board-approved policy suite in force with version control.
- Merchant KYC, MCC assignment and prohibited-merchant screening operating.
- Grievance policy published with named nodal officer and Ombudsman disclosure.
- No card credentials stored beyond permitted fields; tokenisation live.
- Card and payment data localised within India with attestation.
- Current PCI DSS AOC/ROC covering the cardholder data environment.
- MFA, least privilege and PAM enforced for privileged access.
- Real-time fraud monitoring and AFA operating.
- Periodic VAPT and a CERT-In empanelled system audit completed with findings closed.
- Tested incident response, BCP and DR plans with CERT-In/RBI reporting readiness.
- Outsourcing and PG contracts carry security, data-localisation and right-to-audit clauses.
- Compliance calendar in place and periodic RBI returns filed on time.
Common Gaps
- Mis-classification: operating as a de facto PA (touching settlement funds) while claiming to be a technology-only PG to avoid authorisation.
- Escrow discipline failures: co-mingling merchant funds with own funds, or breaching settlement timelines.
- Residual card data: incomplete purge of previously stored CoF/card data despite the storage prohibition.
- Weak tokenisation adoption: recurring and stored-credential flows still relying on raw PAN.
- Data-localisation gaps: card or payment data processed or stored, even transiently, outside India via cloud regions or offshore support.
- Stale assurance: PCI DSS AOC or CERT-In system audit lapsed, or findings left open beyond SLA.
- Thin merchant due diligence: superficial KYC and no ongoing risk monitoring or MCC governance.
- Governance gaps: policies not board-approved, no named nodal officer, or missing fit-and-proper declarations.
- Vendor blind spots: PG and cloud contracts lacking right-to-audit, security and RBI-access clauses.
- Reporting lapses: late or inaccurate RBI returns and missed cyber-incident reporting deadlines.
- Fraud control gaps: absent velocity checks, AFA not enforced for card-not-present, or unmonitored fraud losses.
RBI PA-PG Guidelines Mapped to Other Frameworks
Because much of the PA-PG security expectation is expressed by reference to established baselines, an entity can reuse control evidence across multiple frameworks. The mapping below highlights the principal correspondences an assessor can leverage.
| RBI PA-PG domain | PCI DSS | ISO/IEC 27001 | CERT-In / NIST CSF |
|---|
| Data Storage & CoF (D7) | Req 3 - Protect stored account data | A.5.34 / A.8.11 data masking & protection | Protect - Data Security (PR.DS) |
| Baseline Information Security (D8) | Req 1,2,4,6 - Network, config, crypto, secure SDLC | A.8 Technological controls | Protect (PR.IP/PR.PT) |
| Access Control & Identity (D9) | Req 7,8 - Access control & authentication | A.5.15-A.5.18, A.8.2-A.8.5 | Protect - Identity Mgmt & Access (PR.AC) |
| Cyber & Fraud Risk (D10) | Req 5,11 - Malware, testing; fraud via AFA | A.5.7 threat intel, A.8.16 monitoring | Detect (DE.AE/DE.CM) |
| Vulnerability & Audit (D11) | Req 6,11 - Vuln mgmt & testing | A.8.8 technical vulnerability mgmt | Identify/Detect (ID.RA, DE.CM) |
| Incident Response & BCP (D12) | Req 12.10 - Incident response | A.5.24-A.5.30 incident & continuity | Respond & Recover (RS/RC) |
| Outsourcing & Third Party (D13) | Req 12.8 - Service provider management | A.5.19-A.5.23 supplier relationships | Identify - Supply Chain (ID.SC) |
| Governance & Compliance (D3/D14) | Req 12 - Security policy & governance | A.5.1-A.5.6 organisational controls | Govern (GV) / Identify (ID.GV) |
How CyberSigma Helps
CyberSigma is a CERT-In empanelled cybersecurity and compliance partner with deep specialisation in India's payments regulatory landscape. We support Payment Aggregators, Payment Gateways and cross-border PA-CB applicants across the full lifecycle: PA/PG classification and data-flow analysis, RBI authorisation readiness, gap assessment across all fourteen domains, PCI DSS QSA services, tokenisation and CoF-purge validation, data-localisation assurance, VAPT, CERT-In empanelled system audits, and the design of escrow, merchant onboarding, grievance and reporting controls. Our integrated approach lets you reuse a single body of evidence across RBI PA-PG, PCI DSS, ISO 27001 and CERT-In obligations, cutting duplication and accelerating time to authorisation. Engage CyberSigma to move from uncertainty to a defensible, audit-ready and continuously compliant payments operation.