Overview of Payment Aggregator License

A Payment Aggregator, also known as a Merchant Aggregator, is a third-party service provider that enables payments to be processed for mobile and e-commerce merchants. Payment aggregators allow merchants to accept payments through bank transfers and cards without the need to open a bank account or establish a direct credit card association. They provide an affordable and accessible payment solution, making it easier for small businesses to get started quickly. Unlike traditional payment gateways, payment aggregators offer a simplified process for managing payments by bridging the gap between acquirers and merchants.

Who are Payment Aggregators?

A Payment Aggregator is a third-party provider that facilitates online payments for merchants by integrating payment systems into their apps or websites. Essentially, payment aggregators connect merchants to acquirers, offering technologies to process online transactions efficiently without directly handling the funds.

Key functions of payment aggregators include:

• Assisting merchants in connecting with acquirers to receive payments from customers.
• Facilitating the transfer of funds to merchants after a specified period.
• Allowing merchants to accept a wide range of payment methods without needing to build a separate payment integration system.
• Managing customer data access for processing transactions.

By offering a consolidated payment platform, payment aggregators simplify the payment process for both merchants and customers.

Benefits of a Payment Aggregator

• Acts as an intermediary between merchants and customers.
• Simplifies the payment processing and transaction completion process.
• Establishing a payment aggregator is straightforward, typically requiring just the signup for an e-commerce payment procedure. This opens opportunities for more businesses to enter the market and provides customers with more purchasing options.
• Facilitates the creation of settlements on one end (clients) and merchants on the other.
• Offers online transaction processing with minimal or no startup fees and fixed costs.
• The application process is simple, allowing small businesses to operate smoothly.
• An efficient and cost-effective solution for handling a high volume of smaller transactions.

Risks Associated with Payment Aggregation

Payment aggregators face certain risks in the online transaction process, including:

• Inconsistent restore mechanisms and practices across companies.
• Some e-commerce platforms that offer payment aggregation services are not directly regulated by the Reserve Bank of India (RBI), leading to potential double regulation concerns.
• Poor governance practices within organizations can affect customer experience and erode trust.
• Aggregators handle sensitive customer data, so maintaining data privacy and security is crucial. Any failure in data management can lead to data loss and privacy violations.
• Payment aggregators may face risks related to transaction chargebacks or fraud, particularly with sub-merchants.

Essential IT Requirements for Obtaining a Payment Aggregator License

To secure a Payment Aggregator License, certain IT security measures must be in place:

1. Data Security Standards: Implement standards like PA-DSS, PCI-DSS, and the latest encryption methods to ensure secure transactions.
2. Risk Assessment: Identify potential risks to privacy, data integrity, and availability, considering business, compliance, and contractual factors.
3. Staff Capability: Ensure staff are well-trained in IT security, with ongoing training needs assessments.
4. Payment Application Security: Applications must comply with PA-DSS guidelines and PCI-DSS standards, especially during merchant onboarding.
5. Information Security Excellence: Conduct regular security risk assessments and provide reports on security incidents to the board.
6. Access to Applications: Document and approve procedures for managing application systems with access based on the least privilege principle.
7. Cryptographic Requirements: Use encryption algorithms recognized by trusted bodies, such as security vendors or government agencies.
8. Data Control: Implement measures to ensure data is collected and stored within authorized jurisdictions, with controls to prevent unauthorized access.
9. Data Protection in Outsourcing: Ensure that third-party agreements allow for audits and security reviews.
10. Security Incident Coverage: Report cybersecurity incidents to the regulator within 2 to 6 hours and have security incident coverage agreements with merchants.
11. Forensic Readiness: Collect, investigate, and analyze security events across all infrastructure components to ensure timely detection of security breaches.
12. Cybersecurity Review and Reports: Submit quarterly internal and annual external cybersecurity examination reports to the IT Committee.

Basic Requirements for Payment Aggregator License

To obtain a Payment Aggregator License, the following requirements must be met:

1. Business Address Proof.
2. Net Worth: New payment aggregators must have a minimum net worth of Rs. 15 crores at the time of application, which should be maintained at Rs. 25 crores thereafter.
3. Certificate from Chartered Accountant (CA): A CA certificate is required to confirm compliance with the applicable net worth requirement.
4. Financial Statements: If the business is a newly registered non-bank entity without an audited financial statement, a provisional balance sheet and a CA certificate regarding the current net worth must be submitted.
5. Corporate Structure: The organization must have at least three directors and two members.
6. PCI DSS Compliance: The organization must comply with PCI DSS standards.