On September 15, 2025, the Reserve Bank of India (RBI) issued its final Master Direction on Regulation of Payment Aggregators (PAs). The guidelines consolidate and replace earlier rules from 2020, 2021, and 2023, and apply to both bank and non-banking entities engaged in the aggregation of payments.
The framework covers authorisation procedures, capital requirements, governance, risk management, security controls, KYC and due diligence, settlement of funds, escrow account operations, and reporting obligations.
Furthermore, the RBI classified payment aggregators into three categories: PA–Physical (PA–P), which handle in-person transactions; PA–Online (PA–O), which process digital and remote payments; and PA–Cross Border (PA–CB), which facilitate inward and outward international transactions under FEMA regulations.
Notably, banks do not require authorisation to carry out PA business. However, non-banking PAs need to secure authorisation from the RBI, maintain a minimum net worth of Rs 15 crore at the time of application and Rs 25 crore for the next three years, and adhere to due diligence and escrow account norms.
They also direct PAs to establish dispute resolution systems, implement strong information security frameworks, and comply with prescribed reporting timelines.Â
Security And Fraud Prevention
The guidelines require PAs to put in place information and data security systems, adopt board-approved information security policies, and ensure that their merchants’ infrastructure complies with international standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS).
In addition, PAs must maintain strong fraud detection and prevention systems to protect customers from misuse of digital payment channels.
The RBI mandates that every PA must conduct an annual system and cybersecurity audit through CERT-In empanelled auditors, and submit reports to the central bank within timelines it prescribes.
Furthermore, PAs must comply with the broader framework on cyber resilience and digital payment security controls issued in 2024. They are also required to report cybersecurity incidents to the RBI without delay.
Additionally, in Annexure 1, the RBI outlines baseline technology-related recommendations that are mandatory for PAs. These include carrying out regular risk assessments, maintaining an enterprise-wide information security policy reviewed annually, and conducting vulnerability and penetration tests.Â
The recommendations also cover vendor risk management, ensuring data sovereignty, preparing cyber crisis management plans, and implementing forensic readiness to detect and analyse security events.
Additionally, PAs must ensure cardholder data is not stored on merchant servers, and that all refunds are processed in line with the original payment method.
Dispute Management Framework
The central bank directed PAs…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
