Payment Gateway Integration

A payment gateway is a financial service that reads payment cards (like debit card, credit card, net-banking and payment through your e-wallet, etc.), payment gateways refer to software and servers that transfer transaction info to acquiring banks and responses from issuing banks. Essentially, payment gateways facilitate communication within banks.

Important RBI Notifications March 17, 2020:

Existing Non-Bank entities offering Payment Aggregation Services shall apply for authorization on or before 30th June, 2021 and during the process they can do it until the decision from Reserve Bank of India is communicated. So if the communication is positive, they can continue else they need to windup this business. Application can be made only after the Net worth of INR 15 Crore is there for existing player. On the other hand, they have mandate to reach at INR 25 Crore net worth by the end of 3rd Financial Year i.e. 31st March, 2023. Thereafter net-worth of INR 25 Crore shall be maintained at all times thereafter.

A payment gateway performs as an intermediary between the payments receivers and facilitates the transaction via the customer's bank account. Such a facility collects the information from the buyer bank and supplies this information to the receiving bank.

What is Payment Aggregator?

As per Reserve Bank of India definition entity that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create separate payment integration system of their own. It facilitates merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.

Payment Aggregator Operation Model:

It handles the funds on behalf of user, platform and merchant via designated Bank Account i.e. Nodal/Escrow Account. Therefore it required the authorization from Reserve Bank of India under the Payment and Settlement System Act, 2007.

Users do shopping in digital platform. Now users need to make payment. Payment mode can be Wallet, Bank-Net Banking, Debit or Credit Card etc.

Platform is marketplace of various service provider, seller, financial services etc. They are defined as Merchant. Merchant are on-board by Platform on their agreed terms and conditions.

It involves user, platform, merchant and Bank to complete any payment transaction. User once do purchase or use the services listed on platform, required to pay which is landed in the entity doing payment aggregation business. User make payment form available/listed Bank or Wallet or any acceptable payments mode i.e. POS, Card, UPI, QR to Platform of Aggregator. It has to manage the payment receipt from user and bifurcate the amount into commission and actual to be reimburse to Merchant then after release the payment to merchant. It has step on step process to ignite and close the transaction.

Now on wards, whomsoever be participant here as payment aggregation business need to take license/registration from Reserve Bank of India unlike earlier. The timeline is 30th June, 2021 where the existing non-entity has to apply for registration of whose Net Worth should be INR 15 Crore. New applicant should have INR 15 Crore Net Worth to apply for registration to Reserve Bank of India. Once authorization granted can do this business, with target to reach INR 25 Crore Net Worth by the end of 3rd Financial Year.

What is Payment Gateway?

As per Reserve Bank of India definition entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

Payment instrument that are processed at cloud required safe, secure and fraud-free platform to connect with credentials of Bank/Wallet/Debit or Credit Card to process the transaction, and it requires user interface which is in fact Payment Gateway in India.

For example: Digital Wallet where user can Load the Money. Money transfer from Bank Account to Wallet, and the path provider is Payment Gateway. Similarly, user make payment to platform from its wallet, the path used by it is Payment Gateway. So technology framework or say infrastructure i.e. user interface to transmit the Debit and Credit function digitally without handling the funds is Payment Gateway.

Security is an essential component of all payment gateways, as sensitive information such as credit/debit card numbers need to be secured from any fraudulent possibilities. The card associations have formed a set of guidelines and security standards, which must be followed by payment gateway provider. This set of instructions and security standards is recognized by the name of Payment Card Industry Data Security Standard (PCI-DSS or PCI).

PCI Audit & Final Certification Activity

• PCI DSS Scoping & Gap Assessment
• PCI DSS Formal Risk Assessment
• PCI DSS Policy & Procedure Review, Template sharing
• PCI DSS Final Audit & Certification
• PCI DSS Final Certificate Report Attestation & Issuance (ROC, AOC, COC)
• Application Security Testing/VAPT for 2 applications Web, Android & iOS
• Application Secure Code Review for 2 applications Web, Android & iOS
• ASV Scan for up to 5 IP’s (Pre-certification)
• Internal VA for up to 10 IP’s (Pre-certification)
• External Penetration Test for 5 IP’s(Pre-certification)
• Internal Penetration Test for 10 IP’s (pre-certification)

Infrastructure Setup 

• OS Hardening
• DB Hardening
• Patches Update
• DMZ and Internal Zone
• Centralized Antivirus Server
• NTP Server
• FIM Server
• MFA Server
• VPN Setup
• Firewall Rules

Network Architecture Diagram Documentation

• Firewall Configuration Policy
• DMZ & Internal
• Asset Inventory Detail
• Antivirus Policy
• Patch Management Policy
• Change Control Policy
• DB Access Policy
• Physical Security Policy
• Security Logs and Events Policy
• Backup Policy
• Data Retention and Disposal Policy
• Data Control and Access Control Policy
• Password Policy
• PCI DSS Awareness Training Policy

How does Payment Gateway Work?

A payment gateway executes a significant role in processing and allows the payment or transactions between customer and merchants.

A payment gateway encodes sensitive details of payment such as credit/debit cards number. A payment gateway technology shall ensure the information is passed securely between customers and merchants. Below are the basic steps on how it works:

• Step 1:  A buyer will book an order on the website by submitting the order, checkout from the cart, etc.
• Step 2:  Merchant initiates the transfer order information to the payment gateway and chooses their preferred payment method. The transaction is then directed to the issuing bank or the 3D secure page to request transaction authentication.
• Step 3:  Once the authentication process is successful, the transaction is then approved or declined (subject to funds available in the customer’s account) by the issuing bank or card (MAESTRO, VISA, MASTER, American Express)
• Step 4:  The payment gateway facility sends a message to the merchant accordingly.
• Step 5:  Post verification bank settles the money to the merchant.

To obtain the payment wallet license, an entity shall be registered under the Companies Act, 1956 or the Companies Act, 2013

• Proof of position of the business
• Detailed business plan along with review model
• A minimum of two members or directors
• PAN and Current Account of the company
• Testing Report by Software certifying agency  describing System Flow and Code
• Compliance with PCI DSS

Difference between Payment Aggregator & Payment Gateway

Digitalization of Financial Service Sector is not the outcome of day one, rather its ongoing process and regular innovation that all the stakeholder has witnessed in the continuous journey of Banking and Financial Service Sector. Finance is very core and confidential matter which need special consideration to transact in terms of secure and correct path to route and close the transaction in order to avoid any malpractices and fraud thereon. It can be facilitated through technological involvement on secured transmission line. And the way we are witnessing nowadays, technology is inevitable and gaining more on more popularity and uses on day to day function.

The culture of cash is now been shifting gradually in various other modes of payments. Cash and Cheque payments are now been traditional modes and uses on limited row due to recent developments of various instruments on payment system. It is transitional phase to phase out the cash payment system from country unlike earlier. Various regulatory framework are developed to monitor and guide the digital transaction.

Business Requirement:

Most popular segment to take as example is online shopping portal i.e. e-commerce platform. Now the e-commerce has huge market share of doing business, making the offline retailers and business, visible across the India to do business at PAN India level. But the pain area is easy and convenient way of settlement on payment proceeds.

Need and Regulatory Framework:

For the sake of brevity, the easy payment settlement system is been need of an hour and that to be on regulated framework unlike the earlier recommendatory circular on directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries dated 24th Nov, 2009 issued by Reserve Bank of India.

It took good years to define and design the regulatory framework and now after 10 years of evolvement and innovation on this particular segment, the Regulator has come up with Guidelines on Regulation of Payment Aggregator and Payment Gateway. It mandate the existing and new player with various requirements such as promoter fit and proper criteria, skilled Board of Director with in depth understanding of this market, technology framework, capital adequacy and so on. Now subject to Guidelines issued by Reserve Bank of India dated 17th March, 2020, we will discuss and understand the regulatory framework for this niche market.

Requirement for obtain Payment Gateway License:

• It is very much necessary to check the required documents/information are in order or not so tentative basic checklist to begin with this registration process are:-
• Demand Draft of INR 10,000/- (non-refundable)
• Applicant is Company and The Company has requisite Net Owned Fund.
• Board of Director understand the business and legal and technical complexities involve to do this business. Educational Qualification and Experience Certificate of Directors.
• Members fund are clear and clean. Net Worth and ITR of Members.
• Net Worth Certificate from Statutory Auditor
• Unaudited/Audited Financial Statement of Company
• Incorporation Certificate along with Memorandum and Article of Association
• Details of Statutory Auditor and Banker
• Banker Report of Company, Director and Member.
• System Specification
• IS Audit Report and Cyber Security Audit Report
• Business Plan
• Customer Grievance Redressal and Dispute Management Framework
• Security, Fraud Prevention and Risk Management Framework

As per the checklist, the required documents either to be prepared or collected and arranged accordingly with an application form to be submitted at Chief General Manager, Department of Payment and Settlement System (DPSS), RBI, Central Office, Mumbai. 

RBI has issued notification for an extension for filing an application to RBI for existing PAs/PGs company.

"Subject to earlier deadline for putting an application to RBI for Certificate of Authorization i.e. 30th June, 2021 been revised and extended based on the representations received from the industry seeking additional time for implementing the above instructions, it has been decided, as a one-time measure, to extend the timeline for non-bank PAs by six months, i.e., till December 31, 2021, to enable the payment system providers and participants to put in place workable solutions"