RBI Payment Gateway Licensing in India

India’s digital payments ecosystem has undergone a revolutionary transformation over the past decade. From a largely cash-driven economy, India has evolved into one of the world’s fastest-growing digital payments markets, processing billions of transactions annually through platforms like UPI, NEFT, RTGS, IMPS, and card networks. At the heart of this transformation lies a critical regulatory framework established and governed by the Reserve Bank of India (RBI) — specifically, the licensing and authorization of Payment Gateways (PGs) and Payment Aggregators (PAs).

As of 2026, any entity wishing to operate as a Payment Aggregator or Payment Gateway in India must obtain explicit authorization from the RBI under the Payment and Settlement Systems Act, 2007 (PSS Act), and comply with the RBI’s Master Directions on Payment Aggregators and Payment Gateways, which were comprehensively updated in 2021 and further refined through circulars issued in 2023 and 2024. Non-compliance can attract heavy penalties, including cancellation of authorization and criminal proceedings.

This comprehensive guide is designed to help entrepreneurs, FinTech startups, banks, NBFCs, and established corporations understand every dimension of the RBI Payment Gateway License — from eligibility to application, from capital requirements to ongoing compliance — ensuring that businesses can enter and thrive in India’s regulated payments landscape.

Understanding the RBI’s Payment Regulation Framework

What Is a Payment Gateway (PG)?

A Payment Gateway (PG) is a technology infrastructure that facilitates the secure transmission of payment information between a customer, a merchant, and the issuing/acquiring bank. A PG does not hold or settle funds — it is purely a technology service provider that encrypts and routes payment data.

Key characteristics of a Payment Gateway:

• Provides technology integration (APIs, SDKs, plugins) for online transactions
• Encrypts and securely transmits card/bank/UPI credentials
• Interfaces with card networks (Visa, Mastercard, RuPay), NPCI, and banking systems
• Does not hold merchant funds or settle transactions independently
• Must comply with PCI-DSS and RBI’s technology standards

What Is a Payment Aggregator (PA)?

A Payment Aggregator (PA) is an entity that facilitates e-commerce sites and merchants to accept various payment instruments from customers. Unlike a PG, a PA not only routes payment data but also pools customer funds and settles them with the merchant. This fund-handling function is what makes the PA subject to direct RBI authorization.

Key characteristics of a Payment Aggregator:

• On-boards merchants and enables them to accept payments
• Pools funds received from customers in a nodal/escrow account
• Settles funds to merchants after deducting its service fee
• Bears responsibility for merchant due diligence (KYC/KYB)
• Must have RBI authorization before commencing operations

Distinction Between PA and PG Under RBI Rules

*Note: While PGs do not require RBI authorization directly, they must comply with the RBI’s Guidelines on Payment Gateways issued in March 2020 (updated 2021), and any PA using a PG’s services remains responsible for compliance.

Legal Framework and Governing Legislation

Payment and Settlement Systems Act, 2007 (PSS Act)

The PSS Act is the primary legislation that empowers the RBI to regulate all payment systems in India. Under Section 4 of the PSS Act, no entity can commence or operate a payment system without prior authorization from the RBI. Violation of this provision can result in imprisonment of up to two years, a fine up to Rs. 10 lakhs, or both, in addition to closure of the payment system.

Key RBI Circulars and Guidelines (2020–2026)

Interplay with Other Regulations

Payment Gateway operators must also comply with:

• Information Technology Act, 2000 & IT (Amendment) Act, 2008 — for data security and cybercrime
• Prevention of Money Laundering Act, 2002 (PMLA) — for AML/KYC requirements
• Foreign Exchange Management Act, 1999 (FEMA) — for cross-border transactions
• Personal Data Protection Bill / DPDPA 2023 — for customer data privacy
• PCI-DSS Standards — for card data security (mandated by RBI)

Who Needs an RBI Payment Aggregator Authorization?

Entities Mandatorily Requiring RBI Authorization

As per the RBI’s 2021 Master Directions, the following entities require explicit PA authorization:

1. Non-bank entities (companies incorporated in India) that aggregate payments from merchants and settle them
2. E-commerce marketplaces that facilitate payments on behalf of third-party merchants and settle directly
3. FinTech companies operating embedded payment solutions for merchant ecosystems
4. Third-party application providers (TPAPs) that operate beyond mere UPI routing

Entities Exempt from PA Authorization

The following are exempt or have separate treatment:

• Scheduled commercial banks and payment banks — governed by banking licenses
• Small Finance Banks and NBFCs-MFI — governed by their respective RBI licenses
• Companies processing payments only for their own goods/services (no third-party merchants)
• NPCI, NPCI Bharat BillPay — government-mandated infrastructure entities

Is Your Business a PA or Merely a PG?

Eligibility Criteria for RBI Payment Aggregator License (2026)

Entity Structure Requirements

Only companies incorporated under the Companies Act, 2013 (or its predecessor) with their registered office in India are eligible to apply for a PA license. Sole proprietorships, partnership firms, LLPs, and trusts are NOT eligible.

Net Worth Requirements (Updated 2026)

Net worth is calculated as: Paid-up equity capital + Free reserves — Accumulated losses — Deferred revenue expenditure — Other intangible assets. The net worth must be maintained at all times and evidenced through a Chartered Accountant’s certificate.

Fit and Proper Criteria for Promoters/Directors

All promoters, major shareholders (holding 10% or more), and directors must satisfy the RBI’s ‘Fit and Proper’ criteria:

• No criminal conviction involving moral turpitude
• No financial fraud, forgery, or wilful default background
• Sound financial standing (no NPA classification with any bank)
• Relevant experience in payments, banking, or technology sectors preferred
• No adverse orders from SEBI, IRDA, or other financial regulators

Technology & Infrastructure Readiness

• PCI-DSS v4.0 compliant infrastructure (mandatory from 2024)
• Secure Payment Application (PA-DSS) compliance
• ISO/IEC 27001 Information Security Management certification
• Business Continuity Plan (BCP) and Disaster Recovery (DR) setup with RTO/RPO specifications
• Data localisation: All payment data of Indian customers must be stored only in India

Step-by-Step Application Process for RBI PA License

Phase 1: Pre-Application Preparation (3–6 Months)

5. Company Incorporation: Ensure the company is incorporated under Companies Act, 2013 with the appropriate MoA/AoA
6. Capital Infusion: Ensure net worth of Rs. 25 crore is reflected in audited balance sheet or CA certificate
7. Technology Audit: Commission PCI-DSS assessment and obtain certificate of compliance
8. Merchant KYC Framework: Develop comprehensive merchant onboarding and KYC/KYB policies
9. Nodal Account Setup: Tie up with a scheduled commercial bank for escrow/nodal account agreement
10. Board Resolutions: Obtain board approval for application and appoint a Nodal Officer/Compliance Officer

Phase 2: Document Compilation

Prepare the following documentation package:

• Certificate of Incorporation, MoA, AoA
• Audited Financial Statements (last 3 years)
• CA Certificate for net worth
• Business Plan with 5-year financial projections
• Merchant onboarding policy and KYC framework
• Grievance Redressal Mechanism document
• System and technology audit report (PCI-DSS)
• Information security policy
• Details of promoters/directors with KYC, CIBIL reports
• Nodal/escrow account agreement with bank
• AML/CFT policy document
• Data localisation compliance certificate
• Board-approved risk management framework

Phase 3: Online Application Submission

As of 2025, the RBI has transitioned to an online application portal (PRAVAAH — Platform for Regulatory Application, Validation And Authorisation) for PA license applications. Steps:

11. Register on the PRAVAAH portal (https://pravaah.rbi.org.in)
12. Select ‘Authorisation of Payment Aggregator’ under PSS Act applications
13. Fill the application form and upload all documents (PDF format, max 10 MB each)
14. Pay the non-refundable application fee of Rs. 10,000 via NEFT/RTGS
15. Receive acknowledgement and Application Reference Number (ARN)

Phase 4: RBI Scrutiny and In-Principle Approval

The RBI’s Department of Payment and Settlement Systems (DPSS) reviews the application. The typical timeline is:

Total expected timeline from application submission to final authorization: 12–18 months (varies based on application quality and RBI’s workload).

Fees, Costs, and Financial Requirements (2026)

Direct RBI Application Fee

The RBI charges a nominal application processing fee of Rs. 10,000 (non-refundable). However, the total cost of obtaining the license is significantly higher due to compliance and infrastructure requirements.

Total Estimated Investment for PA License

Total first-year investment estimate: Rs. 30 Crore to Rs. 35 Crore (inclusive of net worth and compliance costs)

Ongoing Compliance Obligations After Authorization

Merchant Onboarding & KYC Requirements

As of the 2021 Master Directions and subsequent 2023 amendments, authorized PAs must maintain a tiered merchant KYC framework:

Escrow/Nodal Account Management

PAs must maintain a nodal account with a scheduled commercial bank. Key rules:

• Customer funds must be credited to the nodal account within T+0 (same business day)
• Merchants must be settled within T+1 business day (T = transaction date)
• No co-mingling of PA’s own funds with merchant/customer funds
• Monthly reconciliation statements to be submitted to the nodal bank
• Interest earned on nodal account to be used only for merchant benefit (not PA’s profit)

Reporting Obligations to RBI

Data Localisation Requirements

The RBI mandates strict data localisation for all PAs and PGs:

• All payment system data (full end-to-end transaction data) of Indian customers must be stored ONLY within India
• Data cannot be processed, stored, or transmitted to servers outside India
• Foreign PAs with cross-border operations may store a copy abroad, but must ensure Indian data resides in India
• Compliance to be verified via system audit reports submitted annually to RBI

Grievance Redressal Framework

• Dedicated customer complaint portal/toll-free number mandatory
• Initial response within 24 hours; resolution within 30 days
• Unresolved complaints escalatable to RBI Integrated Ombudsman Scheme (RBI-IOS)
• Quarterly reporting of complaint data to RBI

Cross-Border Payment Aggregator Authorization (PA-CB)

What is PA-CB?

The RBI issued dedicated guidelines for Cross-Border Payment Aggregators (PA-CB) in October 2022. A PA-CB is an entity that facilitates export and/or import payments for Indian merchants conducting international e-commerce transactions.

Two Categories of PA-CB

• PA-CB (Export): Facilitates receipt of payment from overseas customers for Indian merchants
• PA-CB (Import): Facilitates payment to overseas merchants by Indian customers

Key Requirements for PA-CB

Tokenisation, Security, and Technology Mandates

Card Tokenisation (Mandatory from 2022)

As per RBI circular dated September 7, 2021 (effective January 2022, extended to October 2022), Payment Aggregators and Payment Gateways are prohibited from storing actual card data (16-digit PAN, expiry date, CVV) on their servers. Instead:

• Card-on-file (CoF) tokenisation is mandatory — actual card credentials replaced with unique tokens
• Tokens generated by card networks (Visa, Mastercard, RuPay, Amex) at PAs/PGs request
• Only card issuers and card networks can store actual card data
• Merchants receive only tokens; no raw card data stored at merchant servers

PCI-DSS v4.0 Compliance

RBI requires all PAs and PGs to be PCI-DSS (Payment Card Industry Data Security Standard) compliant. Version 4.0 (effective March 2024) introduces:

• Customized implementation approach for security controls
• Strengthened multi-factor authentication requirements
• Phishing-resistant authentication for all administrative access
• Enhanced e-commerce security requirements (anti-skimming controls)
• Regular vulnerability scanning and penetration testing (quarterly)

Two-Factor Authentication (2FA)

All online transactions must mandatorily use Additional Factor of Authentication (AFA), typically OTP-based second factor. RBI allows:

• OTP via SMS (most common)
• Hardware token-based OTP
• Biometric authentication (for specific use cases)
• Device-binding (for mobile app-based payments)

UPI Integration and NPCI Certification for Payment Gateways

Role of NPCI in Payment Gateway Operations

While RBI regulates and authorizes PAs, the National Payments Corporation of India (NPCI) governs specific payment rail operations including UPI, RuPay, NACH, and IMPS. Any PA or PG wishing to integrate UPI payments must separately comply with NPCI’s membership and certification requirements.

NPCI Certification Requirements

• Technical certification for UPI API integration
• Compliance with NPCI UPI Product Circulars
• Real-time transaction dispute and chargeback management per NPCI protocols
• Merchant categorization codes (MCC) aligned with NPCI/card network standards
• NPCI IMPS certification for IMPS-based payment routing

UPI Market Share Cap (2026 Update)

NPCI had proposed a 30% market share cap on UPI third-party application providers. As of 2026, the implementation of this cap has been deferred, but PAs must monitor NPCI circulars for updates. PAs facilitating UPI transactions through their platforms must ensure compliance with NPCI’s system availability (99.9% uptime) and transaction success rate requirements.

Penalties, Enforcement, and Common Violations

Penalties Under PSS Act, 2007

Recent RBI Enforcement Actions (2023–2025)

The RBI has become increasingly stringent in enforcement. Notable actions include:

• Multiple FinTech companies issued show-cause notices for operating PA services without authorization (2023)
• Paytm Payments Bank: RBI directed cessation of new customer onboarding citing compliance failures (2024)
• Several cross-border PAs penalized for FEMA violations in import-export settlement processing
• RBI introduced a ‘regulatory sandbox’ concept for innovative payment solutions — enabling controlled testing before full licensing

Expert Tips to Improve RBI License Approval Chances

Before Applying

• Engage a specialized RBI compliance law firm — not a general corporate lawyer
• Ensure your business plan clearly differentiates PA activities from mere PG services
• Commission a mock RBI audit through a CERT-In empanelled auditor before submitting
• Establish a clean financial track record — no defaults, no NPA status
• Set up escrow/nodal account in advance and include the bank’s confirmation letter

During the Application

• Respond to RBI deficiency notices within the specified timeline (typically 15 days)
• Assign a single point of contact (Compliance Officer) for all RBI communication
• Maintain consistency across all documents — avoid discrepancies in figures, dates, or names
• Include a detailed grievance redressal flowchart in the application

Post In-Principle Approval

• Complete system setup and technical audit within the 6-month IPA validity window
• Conduct internal UAT (User Acceptance Testing) across all payment modes before final audit
• Do not commence live merchant operations until final authorization is received
• Appoint a dedicated Board-level committee for payment system oversight

Future Trends in RBI Payment Gateway Regulation (2026 and Beyond)

CBDC Integration

The RBI’s Digital Rupee (e₹) — India’s Central Bank Digital Currency — is expected to be integrated into the PA/PG framework. PAs may be required to support e₹ wallets and transactions by 2027, adding a new compliance dimension.

Open Banking and Account Aggregator Framework

The Account Aggregator (AA) ecosystem, regulated by RBI, enables consent-based financial data sharing. PAs integrating with the AA framework can offer richer payment experiences (e.g., pre-approved credit at checkout, real-time bank balance checks). RBI is expected to mandate AA integration for larger PAs by 2027.

Embedded Finance and ONDC

The Open Network for Digital Commerce (ONDC) has redefined e-commerce in India. PAs that integrate as ONDC-compliant payment nodes gain access to a rapidly expanding merchant network. RBI has signaled specific compliance guidelines for ONDC-integrated PAs.

AI and Fraud Prevention

RBI guidelines increasingly emphasize AI-powered fraud detection as a compliance requirement. PAs are expected to deploy:

• Real-time transaction monitoring using ML models
• Behavioral biometrics for user authentication
• Velocity checks and anomaly detection for suspicious patterns
• Automated STR (Suspicious Transaction Reports) filing with FIU-IND

RegTech and Automated Compliance

RBI is piloting regulatory technology (RegTech) solutions for automated compliance monitoring. Future PAs may be required to provide API-level access to RBI for real-time transaction data, moving beyond periodic reporting to continuous oversight.

Conclusion

Obtaining an RBI Payment Aggregator License is one of the most rigorous yet rewarding regulatory milestones for a FinTech company in India. The authorization not only legitimizes your business but also instills trust among merchants, customers, and banking partners. In an era where digital payments are the backbone of India’s economy — with UPI alone processing over 100 billion transactions annually — operating within the RBI’s regulatory framework is not just a legal requirement, but a strategic business advantage.

For entrepreneurs and FinTech founders, the key takeaway is simple: start preparing early, invest in compliance infrastructure, maintain robust financials, and engage experienced regulatory advisors. The RBI license is not a one-time checkbox — it is an ongoing commitment to secure, transparent, and customer-centric payment operations.

India’s payments landscape is evolving rapidly, and those who invest in regulatory compliance today will be the market leaders of tomorrow.