IT standards for Payment Gateway License: Requirements
The IT standards for obtaining a Payment Gateway License in India are as follows:
- Governance of Information Security
To determine risk exposures, remedial actions, and residual threats, all companies must conduct a rigorous security risk assessment of their clients.
- Standards for Data Security
Best practices in data protection standards such as PA-DSS and PCI-DSS must be implemented by all companies. It is also essential to enforce the most recent encryption standards.
- Reporting Security Incidents
Any security incidents or cardholder violations must be reported to the Reserve Bank of India (RBI) within the timeframe stated.
- Onboarding of merchants
During the merchant onboarding process, all companies must go through a detailed security assessment. This procedure is carried out to ensure that retailers adhere to the most basic security requirements.
- Audits and Reports on Cyber Security
A quarterly internal and external audit must be completed and submitted by all company organizations. The report must then be sent to the IT Committee. They must also send bi-annual VAPT (Vulnerability Assessment or Penetration Test) reports, as well as PCI-DSS compliance reports, which include an AOC (Attestation of Compliance) and ROC (Report of Compliance) compliance report, as well as any findings reported, as well as preventive and corrective measures planned with an action closure date.
- Competency of Employees
The IT work requires a thorough understanding, knowledge, and preparation from all business resources.
- Risk Assessment of Vendors
SLAs (Service Level Agreements) for support of BCP-DR and data management technology must absolutely contain provisions allowing regulatory access to these setups.
- Roadmap and Maturity
Businesses must determine their IT maturity level on a regular basis in accordance with international standards, or devise and implement an action plan to achieve the desired maturity level.
- Requirement for cryptography
As a well-established universal standard, all companies must choose an encryption algorithm. An international group of cryptographers, on the other hand, has thoroughly examined it.
- Sovereignty of Data
All companies must take precautions to ensure the data is stored in infrastructure that is not subject to any external authority.
- Outsourcing Data Security
There must be an outsourcing arrangement that includes a "right to audit" provision that allows companies or their designated agencies and regulators to perform security audits. Alternatively, third parties must provide companies with periodic independent security audit reports.
- Application Protection for Payments
Payment applications must be created in accordance with PA-DSS guidelines and the requirements. As part of the merchant onboarding phase, the company must check the PCI-DSS enforcement status.
Basic Payment Gateway License Requirements
The entity must be registered under the 1956 Companies Act or the 2013 Companies Act.
Two representatives or directors are needed.
Proof of company address
Company strategy for the next five years
The company's PAN and current account
Software certifying agency's report on system flow and code testing
Number of Service Tax Registrations
PCI DSS (Payment Card Industry Data Security Standard) compliance
Necessary Documents for a Payment Gateway License
The following are the documents needed to obtain a Payment Gateway License in India:
A copy of the Company's COI (Certificate of Incorporation) obtained from the ROC (Registrar of Companies);
Directors' PAN card information and proof of address;
The directors' DSC (Digital Signature Certificate) and DIN (Director Identification Number);
A copy of the registered address's address proof;
Bank account information for the company;
Business strategy for the next five years of the company;
A report on a software agency's code testing.