RBI Guidelines for Payment Aggregators and Payment Gateways


Get an in-depth analysis of the RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways (RBI/DPSS/2019-20/174) and learn more about how Security Brigade can help you meet the RBI Cyber Security Guidelines.

As a CERT-In Empanelled Security Auditor, Security Brigade is authorised to help you understand, manage and comply with RBI Guidelines & Circulars that are released on a periodic basis. As on March 17th 2020, the RBI has released new guidelines for Payment Aggregators and Payment Gateways, which include specific clauses and requirements pertaining to Cyber Security.

The following is a quick summary of some of the key points and requirements from the RBI Guidelines for Payment Aggregators and Payment Gateways.

Download Our Whitepaper to learn more about the Cyber Security Framework and how Security Brigade can help you comply with RBI’s mandates.


Responsibility Of Merchant’s Security

  • Compliance of PCI-DSS & PA-DSS (as applicable) for Merchant’s Applications & Infrastructure
  • Agreement with Merchant In-Regards to Security & Privacy of Customer Data
  • Review of Periodic Security Assessment Reports & Risk Assessment Reports on Contract Renewal


Security, Fraud Prevention and Risk Management Framework

  • Strong risk management system – Prevent fraud and ensure customer protection.
  • Adequate information and data security infrastructure and systems for prevention and detection of frauds.
  • Implementation of board approved information security policy.
  • Implement baseline technology-related recommendations in Annexure 2.
  • Mechanism for monitoring, handling and follow-up of cyber security incidents and breaches.
  • Comply with data storage requirements as applicable to Payment System Operators (PSOs).
  • System Audit Report, including cyber security audit conducted by CERT-In empanelled auditors.


Baseline Technology-related Recommendations

  • Information Security Governance
  • Data Security Standards
  • Security Incident Reporting
  • Comprehensive Security Assessment during Merchant Onboarding
  • Cyber Security Audit and Reports: Quarterly Internal Audits, Annual External Audit Reports, Bi-Annual Vulnerability Assessment / Penetration Test (VAPT) reports, PCI-DSS including Attestation of Compliance (AOC) & PCI-DSS including Report of Compliance (ROC) compliance report
  • Board Approved Information Security Policy
  • Board Approved IT Governance Policy
  • IT Steering Committee
  • Enterprise Information Model
  • Cyber Crisis Management Plan
  • Enterprise Data Dictionary
  • Risk Assessment
  • Access to Application
  • Competency of Staff
  • Vendor Risk Management
  • Maturity and Roadmap
  • Cryptographic Requirement
  • Forensic Readiness
  • Data Sovereignty
  • Data Security in Outsourcing
  • Payment Application Security


Compliance Submissions

  • Annual – IS Audit Report and Cyber Security Audit Report
  • As Needed – Cyber Security Incident Reports


First Name*

Last Name*

Work Email*



Talk to An Expert

Speak to our experts to understand more about our security offerings.