← All guides
Regulatory · 7 min read

Payment Aggregator Compliance Guide

RBI’s PA-PG guidelines bring payment aggregators under authorisation with strict security, audit and data rules.

FreeGet "Payment Aggregator Compliance Guide" as a PDF

Plus occasional, practical compliance guidance from our senior auditors. No spam — unsubscribe anytime.

1. Authorisation and governance

Net-worth, fit-and-proper governance, and a board-approved policy are prerequisites for RBI authorisation.

2. The System Audit (SAR)

An annual System Audit Report by a CERT-In empanelled auditor covers security, data storage and compliance.

3. PCI DSS and data localisation

  • Maintain a PCI DSS-compliant posture for card data.
  • Store payment data only in India.
  • Route funds through escrow and settle on time.

How CyberSigma helps

CERT-In empanelled and PCI QSA authorised, we deliver your PA-PG System Audit, PCI DSS assessment, VAPT and data-localisation verification.

This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.

Turn this guide into a plan

Our CERT-In empanelled auditors can take you from reading about it to certified — with a scoped, guided programme.

Book a consultation →