Knowledge Center / RBI PA-PG Guidelines
Reserve Bank of India · India

RBI Payment Aggregators & Payment Gateways (PA-PG)

Authorisation and security requirements for payment aggregators and payment gateways.

RBI’s Guidelines on Regulation of Payment Aggregators and Payment Gateways (issued March 2020, with subsequent updates) brought payment aggregators (PAs) under direct RBI authorisation and set baseline technology and security requirements. Payment gateways (PGs) are treated as technology providers. This is a practical compliance guide.

Payment Aggregator vs Payment Gateway

Payment Aggregator (PA)Payment Gateway (PG)
RoleOnboards merchants and handles/settles fundsProvides technology to route/process transactions
Handles funds?Yes — enters the payment flowNo — technology infrastructure only
RBI statusRequires RBI authorisationTreated as a technology provider (follows baseline security)

Eligibility and authorisation

  • Non-bank PAs require authorisation from RBI under the Payment and Settlement Systems Act.
  • Net-worth requirement: a minimum net worth at application, rising to a higher threshold by the stipulated financial year (as specified by RBI).
  • Fit-and-proper governance, a board-approved policy, and a nodal/escrow arrangement are required.
  • Banks providing PA services do so under their existing authorisation but must meet the technology and security requirements.

The System Audit Report (SAR)

  • PAs must submit an annual System Audit Report (SAR) to RBI, performed by a CERT-In empanelled auditor.
  • The SAR covers information security, the technology stack, data storage, application and network security, and compliance with the guidelines.
  • Findings must be remediated and the SAR board-approved before submission within RBI’s timelines.

PCI DSS and card-data handling

  • PAs handling card data must maintain a PCI DSS-compliant posture.
  • Merchants onboarded by a PA must not store card data; card-on-file tokenisation should be used where applicable.
  • Card data must be encrypted and access strictly controlled.

Data storage and localisation

  • Payment data must be stored only in India, per RBI’s data-localisation directive.
  • Where transactions are processed abroad, the data must be brought back and any foreign copies purged within the stipulated time.
  • Data-storage compliance is verified through the System Audit.

Escrow settlement and merchant onboarding

  • Funds must flow through an escrow account maintained with a scheduled commercial bank; the PA cannot use the funds.
  • Settlement to merchants must follow the prescribed timelines (T+ settlement cycles).
  • Merchant onboarding requires KYC/due diligence, background checks and monitoring of merchant activity.
  • A merchant agreement must define security, data and settlement responsibilities.

Baseline security requirements

  • Information security governance and a board-approved security policy.
  • Data security, encryption and key management.
  • Access control, MFA and monitoring/logging.
  • Secure application development and periodic VAPT of applications and infrastructure.
  • Incident response and reporting to RBI/CERT-In.
  • Merchant and vendor risk management; fraud and risk monitoring.

Implementation roadmap

  1. Confirm eligibility, net worth and governance; prepare the RBI authorisation application.
  2. Establish the escrow arrangement and settlement processes.
  3. Achieve a PCI DSS-compliant posture for the card environment.
  4. Implement data localisation and the baseline security controls.
  5. Stand up merchant onboarding/KYC and monitoring.
  6. Conduct VAPT and remediate; undergo the System Audit by a CERT-In empanelled auditor.
  7. Board-approve and submit the SAR to RBI; maintain annual compliance.

Evidence checklist

  • RBI authorisation / application and net-worth certificates.
  • Escrow-account arrangement and settlement records.
  • PCI DSS Attestation of Compliance for the card environment.
  • Data-localisation evidence (storage in India; foreign-copy purge records).
  • Board-approved security policy and governance records.
  • VAPT reports and remediation evidence.
  • Merchant onboarding/KYC records and monitoring.
  • The annual System Audit Report (SAR) by a CERT-In empanelled auditor.
  • Incident-response and RBI/CERT-In reporting records.

Common gaps

  • Merchants still storing card data, or PAN stored/logged in clear text.
  • Payment data (or backups) stored or processed outside India without purge.
  • Escrow/settlement timelines not met.
  • Weak merchant due diligence enabling high-risk or fraudulent merchants.
  • System Audit performed by a non-CERT-In-empanelled auditor.
How CyberSigma helps
CyberSigma is CERT-In empanelled and PCI QSA authorised — we can perform your PA-PG System Audit (SAR), deliver the PCI DSS assessment, run VAPT and verify data localisation, so your submission to RBI is complete and defensible.

Frequently asked questions

Who can perform the payment aggregator System Audit?
The System Audit Report must be carried out by a CERT-In empanelled auditor. CyberSigma is CERT-In empanelled and PCI QSA authorised.
Do payment aggregators need PCI DSS?
Yes — handling card data brings PCI DSS into scope, and the PA-PG guidelines expect a PCI DSS-compliant posture alongside the RBI requirements.

Need help with RBI PA-PG Guidelines?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.