Payment Aggregator, Cyber Security & RBI guidelines

Payment Aggregators are intermediaries that receive payments from customers buying goods or services online, pool those funds, and then transfer them to merchants. They act as a bridge between merchants and customers and help simplify the online payment process. A payment aggregator is required to comply with several RBI-issued guidelines on management and operations.
According to guidelines released by the Reserve Bank of India, non-banking companies offering payment aggregation services must obtain authorization. Considering the cruciality of cyber frauds in India, the new regime aims to improve online payments in the country.
As India progresses towards digitalization, payment aggregators have made it easier for small and medium-sized businesses to accept digital payments. They have contributed significantly to the growth of India’s digital payment ecosystem. Get in touch with Cyberra Legal Services to learn more about the online payment scenario in India.
What is a Payment Aggregator?
Payment aggregators in India are third-party intermediaries that enable merchants to accept online payments from customers through various digital payment modes such as credit/debit cards, net banking, UPI, digital wallets, and other payment methods. These payment aggregators provide a platform for merchants to process transactions, manage settlements, and reconcile transactions securely. Payment aggregators, in a way, accept the payment from the customers, pool it, and then transfer it to the merchants after a certain period.
Payment aggregators are regulated by the Reserve Bank of India (RBI) under the Payment and Settlement Systems Act, 2007. They must comply with various guidelines issued by the RBI on the operation and management of payment aggregators. Some popular payment aggregators in India include Paytm, Razorpay, Billdesk, PayU, Instamojo, and CCAvenue.
What is Payment Gateway?
A payment gateway in India is a service provided by a financial institution or a third-party payment entity that provides merchants with the technology infrastructure to accept and process online payments from customers securely. Payment gateways route and facilitate online transactions between the customer and the merchant without any involvement in handling funds. They act as an intermediary between the merchant’s website and the customer’s digital payment instrument, such as a credit/debit card, net banking, UPI, digital wallets, etc.
When a customer makes a payment through a payment gateway, it securely collects the payment details. It passes them on to the relevant financial institution or payment service provider for processing. Once the payment is processed, the payment gateway communicates the result of the transaction back to the merchant’s website, and the funds are settled in the merchant’s account.
What is the difference between payment aggregators and payment gateways?
Payment aggregators and payment gateways are two different types of services that facilitate online payments. Here are the main differences between payment aggregators and payment gateways:
Function:
While payment aggregators provide a single platform for merchants to accept multiple digital payment options, payment gateways offer a technology infrastructure and digital lending solutions, enabling merchants to accept payments through a specific payment option.
Integration:
Payment aggregators integrate with multiple payment gateways to offer a wide range of payment options, while payment gateways integrate with a specific bank or financial institution to enable payments through that particular option.
Settlement:
Payment aggregators collect the payment, pool them and transfer them in a certain time to the merchant’s account after deducting their fees, while payment gateways settle payments directly to the merchant’s account. Payment gateways never handle the actual funds.
Risk Management:
Payment aggregators manage the risks associated with the transactions they facilitate. Payment gateways transfer the risk to the bank or financial institution that processes the payment. This helps in monitoring cyber frauds in India more efficiently.
In summary, payment aggregators provide a comprehensive solution for accepting multiple payment options, while payment gateways enable merchants to accept payments through a specific payment option. While payment aggregators act as an interface for online and offline transactions, payment gateways act as an intermediary and only work for online transactions. Payment aggregators manage transaction risks, while payment gateways transfer the risk to the bank or financial institution that processes the payment.
Cyber Security & Mandatory Guidelines by the Reserve Bank of India
Payment aggregators provide services to merchants (online and offline) by handling the fund and the technical side of processing online payments. This includes enabling the merchant to accept debit and credit cards, e-wallets, and net banking. Aggregators have to comply with several guidelines by the Indian government to stay operational and continue providing services.
The government has mandated that all organizations that process personal information must implement reasonable security practices and procedures. This includes securing data, digital lending solutions, and systems that contain personal information, implementing privacy policies, and reporting incidents. If you have any doubt regarding the cyber security law on payment aggregators and payment gateways, contact our legal experts at Cyberra Legal Services to learn more.
Security Risk Management: aggregators should carry out a comprehensive risk assessment of their people, IT, and business processes. They should also have a board-approved security policy and ensure their infrastructure is secure. They should implement best practices for data security and report any cybersecurity incidents or data breaches to the regulator. They should also conduct a product-related check on their merchants and have a redressal framework for customer grievances.
Cybersecurity Audit: aggregators must conduct cyber security audits by empaneled CERT-In auditors annually. They must submit an audit report to the DPSS and RBI and perform background and antecedent checks on their merchants to avoid duping customers, selling prohibited products and controlling cyber frauds in India. They should also ensure that their merchants’ infrastructure complies with the PCI-DSS and PA-DSS standards for secure storage of customer data.
Recently, with the rise in digitalization, several cyber frauds in India can be witnessed. To fight this, The Government of India and the Reserve Bank of India are working hard to introduce highly developed and efficient reforms and regulations on offline and online payments.
RBI Guidelines on Payment Aggregator
Both banks and non-banks entities can handle the funds. While banks can provide their payment aggregator services as a part of their normal banking relationship and therefore don’t require separate authorization from the Reserve Bank of India, non-banking entities that provide payment aggregator services must comply with the RBI guidelines and acquire approval from the RBI under Payment and Settlement Systems Act, 2007, PSSA.
Private fintech companies and entities seeking authorization as Payment Aggregator from the RBI under PSSA 2007 should apply DPSS, RBI – Department of Payment & Settlement. While the new payment aggregators should have a minimum net worth of INR. 15 Crores, they are required to achieve and maintain a net worth of INR. 25 Crore by the end of the third financial year of grant of authorization. The promoters of the entity must also satisfy the ‘Fit and Proper’ criteria prescribed by RBI.
Aggregators are required to have a Board-approved policy for onboarding merchants and conduct background and antecedent checks on them. They must also ensure that the merchants’ infrastructure complies with PCI-DSS and PA-DSS, as part of which merchants are restricted from storing their customers’ card details. They must also maintain an escrow account with a scheduled commercial bank, which will be used to collect, pool, and disburse funds the aggregator collects.
Moreover, aggregators are required to operate a redressal and dispute management framework and designate a nodal officer to handle regulatory and customer grievances. The aggregators must also have a robust privacy policy that adheres to the Prevention of Money Laundering Act 2002 and other laws in India. They should also submit a data breach notification to the governmental authorities as per the CERT-In rules and regulations.
It is important to note that this regulation applies to public and private sector entities providing digital lending solutions. It applies to companies that process personal data, both in and out of India, regardless of whether they are located in India or not.
Conclusion
The use of online payment and digital lending solutions has seen significant growth in recent years, and as witnessed by the world during the Covid-19 pandemic, such services provide reliable support and value. With several payment options, optimal cyber security features, and smooth-like-never-before transactional capabilities, payment aggregators and payment gateways make it convenient for customers and merchants to process their transactions. This has streamlined the ever-growing scenario of digital payment and lending. To learn more, contact Cyberra Legal Services now!
Frequently Asked Questions:
What is a payments aggregator?
A payment Aggregator is a third-party facilitator enabling merchants to accept online and offline payments from customers. They basically act as a bridge between the customers and the merchants.
What is an example of a payment aggregator?
Some common examples of payment aggregators in India are Google Pay, Amazon Pay, Paytm, Bill Desk, PayUMoney, Innoviti, etc.