RBI Payment Aggregators & Payment Gateway Audit

RBI Payment Aggregators & Payment Gateway Audit is Crucial to Your Business. Learn Why!

The Reserve Bank of India has circulated new guidelines on 17th March 2020 related to the Regulation of Payment Aggregators and Payment Gateways. These guidelines mandate the Payment Aggregators and Payment Gateways to get authorization from RBI, by obtaining the settlement of payment to the merchant at fixed transaction time. The guidelines are the detailed technical and operational for Payment Aggregators and Payment Gateways that includes merchant onboarding, customer data access, audit obligations, and data sovereignty. Through these guidelines, RBI decided to regulate the activities of payment aggregators and assist them by providing baseline technology related to payment gateways.


In March 2020, all the existing non-banks Payment Aggregators are required to take the authorization from RBI before 30th June 2021. From now, the Payment Aggregators and Payment Gateways will be regulated by RBI to ensure the safety of all the online transactions.

The Key aspects that RBI is going to include in their guidelines are described below.

  • Non-Banks Payment Aggregators will have the minimum net worth of Rs 15 Crore which also varies up to INR 25 crore by the end of the financial year.
  • The Payment Aggregators required baseline technology, which includes the implementation of Data Security standards, Cybersecurity audits, incident reporting, and framing IT policies.
  • Payment Aggregators have clear policies while on-boarding the merchant, privacy policy, Customer Grievances, etc. and followed the provisions set by Prevention of Money Laundering ACT 2002.
  • E-commerce organization with a Payment Aggregators business, need to take the authorized license and have to segregate Payment Aggregators into the separate entity.
  • A non-bank Payment Aggregators have to be a complete company incorporated under the Act of the organization with the PA activity forming a party.
  • In case of any takeover or acquisition of control or any change in upper management of non-bank Payment, Aggregators have to communicate with the Chief General Manager of RBI within 15 days of the change.
  • The RBI also gives the format of authorization which includes net-worth certificate director's undertaking, auditor certificate while maintaining the balance on an escrow account, and a format for storing the data of transaction handled by Payment Aggregators every month.


Key Benefits

RBI Payment Aggregators & Payment Gateway Audit provide many benefits described below.

Retaliated Vulnerabilities

The activities performed by the Payment Aggregators and Payment Gateways while making online transactions are very crucial, this will fix all the vulnerabilities present.

New Security Methods

The present guidelines for Payment Aggregators and Payment Gateways are not sufficient and Over 10 years no major complaints have been recorded, therefore to ensure customer security and privacy RBI took this step.

Directed by RBI

The primary business of Payment Aggregators and Payment Gateways have not come in the regulation of ambit of RBI. Therefore separation of these entities is required while maintaining the proper regulations.

Get Total Access

The customer may not have full access to the Payment Aggregators and Payment Gateways, they have to stay on merchant and banks. This will also resolve this and provide a proper resolution.

Detailed Roles and Liabilities

There is the need for proper delineation of roles and responsibility among the merchants and the customer, by these guidelines the Payment Aggregators and Payment Gateways have to handle the customer data in a more secured way.

Deploy Updated Technology

Technology may vary from entities and architecture and the updated technology for Payment Aggregators and Payment Gateways assists the customers and enhances their experience

Our Assessment Methdology


Define Scope

Before an application assessment can take place, Xiarch defines a clear scope of the client. Open communication between Xiarch and the client organization is encouraged at this stage to establish a comfortable foundation from which to assess.

Information Gathering

Xiarch engineers collect as much information as they can on the target, employing a myriad of OSINT (Open Source Intelligence) tools and techniques. The assembled information will assist us with understanding the working states of the association, which permits us to evaluate the risk precisely as the engagement progresses.




At this stage, we consolidate computerized contents and instruments, among different strategies in further developed data gathering. Xiarch experts closely inspect any conceivable assault vectors. The accumulated data from this stage will be on the basis for exploitation in the upcoming stage.

Assessment & Gap Analysis

In this step, we initiate both manual & automated security scan to find all possible attack vectors & vulnerabilities. After this, we run exploits on the application to evaluate its security. We use different methods and open-source scripts and in-house tools to gain a high degree of penetration. All these are done cautiously to secure your application and its information




This is the final stage of the whole assessment process. In this stage, the Xiarch analysts aggregate all obtained information and provide the client with a thorough, comprehensive detailing of our findings. The entire report will contain a high-level analysis of all the risks along with the final report will highlight all the weaknesses and strengths present in the application.

Discussion & Remediation

Once the process is completed our team will discuss the report and find the appropriate solutions for the bugs located. After that, a comprehensive discussion will be carried out to fix these vulnerabilities . We will ensure that the changes were implemented properly and all the vulnerabilities have been fixed. The team will provide detailed closure or remediation report which reflects the more secure state of the application.


Why Xiarch ?

Xiarch is an ISO 9001:2015 | ISO 27001-2013 licensed Cyber Security Company and IT Services Company with solutions providers in Information Security like VAPT Services, Penetration Testing Services, Vulnerability Assessment Services, Among our consumers we proudly work for Government Organizations, Fortune one thousand Companies and countless start-up companies. We are additionally Value Added Partners, Authorized Re-sellers & Distributor of Leading Web Application Security Testing Tools.

We are headquartered in Delhi and have branch presence in Gurugram, Mumbai and Chennai - India

Contact our sales team @ +91 11-45510033 for further clarifications on above stated service, you can also reach us by an email at [email protected]. We’ll be great full to serve you. Happy Security.


Years Experience


Total Projects


Man Years Exp


Satisfied Customers

98% +

Client Retention

Interested in our RBI Payment Aggregators & Payment Gateway Audit?


New Delhi - Head Office

Xiarch Solutions Private Limited

Mumbai - Branch Office

Xiarch Solutions Private Limited