RBI Payment Aggregator and Payment Gateway (PA-PG) Audit

The RBI PA-PG audit is an annual system audit mandated under the RBI 2025 PA Master Direction for all authorized Payment Aggregators in India. It must be conducted by a CERT-In empanelled auditor and covers merchant onboarding, escrow controls, payment data handling, cybersecurity posture, and technology baseline. Payment Aggregators holding or applying for RBI authorization and Payment Gateways supporting PA operations need this audit.

Yes. The RBI 2025 PA Master Direction specifically requires the annual system audit including cybersecurity audit to be conducted by CERT-In empanelled auditors. Audit reports from non-empanelled auditors will not be accepted by RBI. Security Brigade holds active CERT-In empanelment, making our audit reports eligible for regulatory submission.

The PA-PG audit is a comprehensive system audit covering the full scope of Payment Aggregator operations including merchant onboarding, escrow management, settlement flows, payment data handling, and governance, in addition to cybersecurity controls. The RBI cybersecurity framework audit focuses specifically on cybersecurity posture and controls. The PA-PG audit includes a cybersecurity audit component but has a significantly broader scope covering operational and regulatory compliance.

The RBI PA Master Direction mandates an annual system audit including cybersecurity audit. This means Payment Aggregators must undergo the complete audit every year. Security Brigade recommends aligning the audit cycle with your financial year and board reporting calendar to ensure timely submission and governance oversight.

Failure to pass the PA-PG audit or non-compliance with the PA Master Direction can result in RBI enforcement actions including monetary penalties, directions to cease onboarding new merchants, restrictions on processing, or revocation of PA authorization. Additionally, acquiring bank partners and payment networks may require compliance evidence, making non-compliance a direct business risk.

Yes. Data localization is a critical component of the PA-PG audit. RBI requires all payment data including customer data, payment-sensitive data, payment credentials, and transaction data to be stored exclusively in India. The audit verifies data residency across production systems, database replicas, logs, backups, disaster recovery environments, analytics stores, and third-party processors.

A typical PA-PG audit engagement takes 5 to 6 weeks from scoping through final report delivery. This includes regulatory mapping, architecture review, control assessment, VAPT execution, gap identification, remediation support, and closure validation. Timelines can vary based on the complexity of your payment operations and the number of systems in scope.

The PA Master Direction references PCI-DSS and PA-DSS relevance for Payment Aggregators handling card data. If your PA processes, stores, or transmits cardholder data, PCI-DSS compliance becomes relevant within the PA-PG audit scope. Security Brigade assesses PCI-DSS relevance as part of the integrated audit and can provide separate PCI-DSS gap analysis and readiness consulting if required.

Security Brigade provides end-to-end support including remediation guidance and closure validation. Unlike audit-only firms that hand you a findings report and walk away, we work directly with your engineering, DevOps, and compliance teams to close identified gaps. Every remediation item is tracked through Lemon with owners, deadlines, evidence requirements, and validation status.

Payment Gateways that provide technology infrastructure for payment aggregation are also within the scope of the PA Master Direction. While the primary authorization and audit obligations fall on Payment Aggregators, PGs supporting PA operations must demonstrate compliant technology controls, security posture, and data handling practices. Security Brigade audits both PAs and PGs under the same framework.