Open Payment Gateway: There are a lot of big three-way platforms and a lot of small four-way platforms for payments in India, are they all reliable?

In the Indian payments ecosystem, there is indeed a significant difference in the reliability of third-party (3P) and fourth-party (4P) payment platforms, which needs to be expertly assessed on several key dimensions:

1. Regulatory Compliance

• RBI mandates PI licence holders (Paytm, PhonePe, etc.) to be subject to stringent capital adequacy (Rs. 1.5 crore minimum net) and data localisation requirements
• Small four-way aggregators often substitute PA-DSS compliance for full PCI DSS certification, risking technical vulnerability

2. Security of financial flows

• Legitimate 3P platforms are hosted in Escrow accounts (75% of the average daily balance is required to be deposited in RBI designated banks)
• Some 4P platforms have a "straight-through processing" model, resulting in merchant settlement cycles exceeding the T+2 standard

3. Technical risk indicators

• Fraudulent transaction rate controlled at 7-12bps for head platforms (industry average is 23bps)
• UPI underlying MDR cost pass-through may lead to hidden charges on 4P platforms (common 0.3%-1.2% surcharge)

4. Market Practice Recommendations
   - Monthly transaction volume of more than Rs. 5 lakhs should be preferred to RBI Tier II or above authorised PIs
   - Cross-border business needs to confirm that the platform is OPGSP-qualified
   - Be wary of long-tail aggregators offering unusually high cashback (over 1.5% on transactions)

A case in point: A 4P platform in Mumbai in 2023 delayed settlement of more than 200 merchants due to insufficient reserves, highlighting the risks of non-licensed organisations. It is advisable to verify the credentials through the 'Payment System Operators' list on RBI's website and regularly review the platform's NETS financial health rating.

Risk Management and Best Practices for Payment Platforms in India (continued)

5. Analysis of typical risk scenarios

• Funds retention risk: Some 4P platforms adopt a "T+N" settlement model (N>3) and even require merchants to meet a minimum withdrawal amount (e.g. ₹10,000), which affects cash flow.
• data breach: In 2023, a regional aggregator was fined ₹2.3 crore by the RBI for failing to implement Tokenisation that led to the compromise of 50 lakh card details.
• Licence shell operation: Some small four-way through the "white label co-operation" to use the channel of licensed 3P, but the actual control party is not qualified, once the runaway merchants to protect the rights of difficult.

6. Elements of the technical architecture assessment

7. Merchant risk control recommendations

• Highlights of the review of contractual terms::
  • Clarify the settlement cycle (should be ≤ T+2), fee structure (whether hidden fees such as "Gateway Maintenance Fee" are included)
  • Mandatory requirement of Data Localisation Compliance Certificate (RBI DPSS Regulations)
• Sandbox testing mandatory items: Simulate high concurrency transactions (≥500TPS), power failure recovery, repeat payment processing logic

8. RBI Regulatory Update (2024)

• UPI Lite Limit Upgrade: The single transaction limit has been increased from ₹200 to ₹500, which is suitable for small, high-frequency scenarios in small quadrants, subject to confirmation of support for auto-reconciliation.
• Cross-border payments tighten: All aggregators involved in FX are required to complete the EMPS licence upgrade by 2024Q3, otherwise the business will be wound down.

9. Reference to alternatives

If you are concerned about the risk of small quartets, consider the following hybrid model:

1. Main channel selects licensed 3P (e.g. Razorpay/CCAvenue) to handle 80%+ volume
2. Supplement long-tail scenarios with 4Ps with PA-DSS certification (e.g. Cashfree partners)
3. Self-built PCI DSS Level 1 compliant Direct UPI access (requires technical team support)

For in-depth analyses of compliance validation methodologies or technical architectures for a specific platform, this can be explored further.