India Payment Aggregator Licence Profile www.deekpay.com

India PaymentsAn aggregator, also known as Merchant Aggregator, is a service provider through which payments can be made using mobile devices and e-commerce merchants can process payment transactions. Aggregators allow merchants to accept card payments and bank transfers without even having to open a bank account with a bank or credit card association. Merchant aggregators offer a simple and inexpensive way to accept payments and can help small businesses get off the ground faster. One of the sole purposes of payment aggregators is to provide a simplified payment solution that is a shortcut to traditional payment methods. Payment aggregators include payment gateways, and payment gateways cannot include payment aggregators.

Payment aggregators in India act as a bridge between merchants and customers

Payment aggregationThe term refers to institutions that.

WHO provides the technical route and facilitates the processing of online payment transactions and performs other functions without the need to actually handle the funds.

Who helps e-commerce websites and merchants to accept various payment instruments from their customers to fulfil their payment obligations to the merchant. Here, merchants do not need to create their own separate payment integration system.

Who helps merchants to connect with acquirers. In this process, they receive payments from customers and transfer them to the merchant after a period of time. In addition to handling funds, they also have access to customer data.

Payment aggregators are required to have a Payment Aggregator Licence and the necessary certifications from the payment card industry (Data Security Standard / PCI DSS).

Getting a Payment Aggregator Licence Process in India

Entities willing to undertake the payment of an aggregator licence must undertake the following steps.

What is Payment Gateway Licence India

Payment gateways in India are software services that allow e-commerce businesses to process transactions on their websites or apps. They allow transactions to be processed through credit or debit cards, online banking, e-wallets andUPI payments.

Documents Required to Obtain a Payment Aggregator Licence in India

The documents required to obtain a Payment Aggregator Licence for India are as follows.

Certificate of Incorporation issued by the Registrar of Companies (ROC). Director's PAN card or address proof. Directors of DSC and DIN. Proof of address of place of business. Company bank account details. Five year business plan of the company. Code test reports from software agencies.

Benefits of Getting a Payment Aggregator in India

The benefits of Merchant Aggregator are as follows.

It becomes a bridge between the consumer at one end and the merchant at the other. A generation settled at one end and merchants at the other. The role of processing and completing payment transactions. For a large number of smaller transactions, this is a cost-effective method. The application process is very simple, which helps small businesses to operate with ease. Setting up a payment aggregator is a quick and easy process. All it needs to do is sign up to process e-commerce payments. It creates an opportunity for more talent to enter the marketplace and provides consumers with more purchasing options. Payment aggregators tend to offer advice on online transaction processing with little or no start-up fees and fixed costs.

What are the risks associated with payment aggregation in India

The activities of payment aggregators in online transactions are subject to the following risks.

In this technology and customer experience intensive business, organisations can be a source of risk if they do not have adequate governance practices in place that may impact customer confidence and experience. The lack of adequate remediation mechanisms and harmonised practices across entities is also a concern. Aggregators are also exposed to some risks of transaction fraud or chargebacks related to sub-merchants Some e-commerce marketplaces also offer payment aggregation services which are not directly regulated by the Reserve Bank of India, which can be a huge concern for aggregators. Hence, it can charge under dual regulation. Payment aggregators also handle sensitive customer data. Managing data privacy and customer data can be a daunting task for an aggregator. If the aggregator is unable to manage the data, this can lead to the risk of data loss and privacy violations.

IT Essential Requirements to Get Payment Aggregator Licence in India

The IT security measures recommended by the payment aggregator are as follows.

Information Security Governance

The organisation should conduct a comprehensive security risk assessment study of its people, IT, and business process environments. It must also identify risk exposures and residual risks with remediation measures. Entities should submit reports on risk assessments, security audit reports, security compliance status and security incidents to the board.

Data security standards

Implementation of data security standards such as PCI-DSS and PA-DSS, as well as the latest encryption standards and transport channel security standards.

Businessman New Employee Training

Organisations should conduct a detailed security assessment during the merchant onboarding process to ensure that merchants are following these minimum baseline security controls.

Security incident reports

Entities need to report security incidents or any type of compromise of cardholder data to the Reserve Bank of India within 2-6 hours. Monthly reports on cyber security incidents and preventive measures should be submitted to the Reserve Bank of India.

Network security audit and reporting

Entities submit quarterly internal and annual external audit reports to the Information Technology Board.

risk assessment

The risk assessment must identify the combination of threats or vulnerabilities and the likelihood of impact on the confidentiality, availability or integrity of the asset from a business, compliance and contractual perspective.

Access to applications

Procedures for managing applications should be documented, approved by the application owner, and kept up to date. The principle of least privilege and the need-to-know principle will match job responsibilities when accessing applications.

Employee Competence

Resources must be trained in IT skills and must be subject to periodic assessments of their training needs.

Password requirements

Merchant aggregators should select encryption algorithms in accordance with international standards and undergo rigorous scrutiny by the international community of cryptographers or be endorsed by authoritative professional organisations, reputable security vendors or government agencies.

Forensic preparation

All security events from the Payment Aggregator infrastructure, including applications, servers, middleware, networks, endpoint authentication events, web services, databases, encryption events, and log files should be collected, investigated, and analysed to proactively identify security alerts.

data sovereignty

Payment aggregators should take precautions to ensure that data are stored in infrastructure that is not part of an external jurisdiction. Appropriate controls should be considered to prevent unauthorised access to data.

Outsourcing of information security

An outsourcing agreement should be prepared that provides a "right to audit" clause to enable the payment aggregator or its nominated organisation and the regulator to conduct security audits. Alternatively, the third party is required to submit an independent security audit report to the payment aggregator on an annual basis.

Payment Application Security

Payment applications will be developed in accordance with PA-DSS guidelines and must adhere to the specified guidelines. Payment aggregators must review PCI-DSS compliance status as part of their merchant login process.

Security incident reports

Payment aggregators should report cyber security incidents to the regulator within 2-6 hours. Payment aggregators must have an agreement with merchants on security incident reporting.

PSS Act 2007 Penalty Provisions for Payment Aggregators

Under the PSS Act 2007, the following acts are penalised.

Unauthorised operation of payment aggregation systems. If the Merchant Aggregator fails to comply with the terms of the Licence Authorisation. When the Merchant Aggregator fails to generate a statement Where the payment aggregator provides any false statements or information Disclosure of any prohibited information or non-compliance with the directions laid down by the Reserve Bank of India or contravention of any provision of the Act Contravention of any rule, regulation, order, direction, etc., prescribed by the Reserve Bank of India is a punishable offence and criminal proceedings may be instituted by the Reserve Bank. Under the Act, the Reserve Bank of India can also impose fines for certain offences.