Payment Gateway License

Payment Gateway License in India

In June 2025, UPI payments in India processed transactions worth ₹24.03 lakh crores. As per the Reserve Bank of India, the total value of digital transactions in India grew from ₹1,775 lakh crore in 2019 to ₹2,830 lakh crore by the end of 2024. The reason for this exponential growth is attributed to the rise of digital payment gateways - they act as technological intermediaries, check the payment details and funds in the buyer’s account, and safely transfer the amount into the seller’s/receiver’s bank account. To regulate this sector, the Reserve Bank of India (RBI), under the Payment and Settlement Systems Act, 2007, mandated that all entities engaged in fund collection and settlement on behalf of merchants must obtain a Payment Aggregator (PA) License.

What is a Payment Gateway?

A payment gateway is a digital service that helps businesses accept online payments securely from customers.

When you buy something online and pay using a debit card, credit card, UPI, or net banking, the payment gateway acts as a middleman between you (the buyer), the merchant, and the bank. It checks the details of your payment, makes sure there is enough money in your bank account, and safely moves the payment from your bank to the seller's bank.

The term ‘Payment Gateway’ broadly includes two models:

• Payment Aggregator (PA): Entities that facilitate online payments by collecting funds from customers on behalf of merchants without the need for the merchant to directly integrate with acquiring banks.
• Payment Gateway (PG): Technology providers that offer routing, encryption, and a payment interface without handling funds.

In India, only PAs who handle funds are required to obtain RBI authorisation, whereas PGs offering only tech infrastructure do not need licensing but must comply with security standards.

Legal Framework

In India, the payment gateways are regulated by the following statutes and rules:

1. The Payment and Settlement Systems Act, 2007: This is the foundational legislation regulating all forms of payment systems in India. Under Section 4, it mandates that no person or entity can operate a payment system, including payment gateways or aggregators, without prior authorisation from the Reserve Bank of India (RBI). The Act empowers the RBI to frame regulations, inspect licensees, issue directions, and cancel authorisations for non-compliance. It ensures orderly development and oversight of digital payment infrastructure.
2. RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways (March 2020; updated in March 2021 and August 2022): The guidelines were issued under the authority of the 2007 Act. These guidelines created a formal licensing regime for Payment Aggregators (PAs) and a regulatory framework for Payment Gateways (PGs).

• Payment Aggregators that handle customer funds must register with the RBI and adhere to capital adequacy norms, escrow account management, and KYC/AML compliance.
• Payment Gateways, while not directly handling funds, must comply with baseline IT security, fraud prevention standards, data localisation, and grievance redressal mechanisms.

3. The Reserve Bank of India Act, 1934: The RBI is the regulatory authority over monetary policy and financial stability. Under Section 45JA, RBI may issue directions to any financial institution relating to conduct, audit, reporting, and inspection. RBI uses this power to enforce the licensing, reporting, and operational standards on PAs/PGs.
4. The Information Technology Act, 2000: This Act governs all digital transactions and imposes mandatory obligations on intermediaries, including payment gateways, under Section 43A and Section 72A. The act deals with the protection of sensitive personal data, cybersecurity, and the liability for data breaches.
5. The Prevention of Money Laundering Act, 2002 (PMLA): As the payment aggregators deal with financial transactions, they are considered ‘reporting entities’ under PMLA. They are mandated to conduct KYC verification, monitor transactions, and report suspicious activities to the Financial Intelligence Unit - India (FIU-IND).
6. The Companies Act, 2013: All payment gateway license applicants must be incorporated entities in India. Compliance with corporate governance, auditor appointment, disclosure norms, and financial reporting obligations under the Companies Act, 2013, is a pre-requisite to maintain the integrity of the applicant entity.
7. The Consumer Protection Act, 2019: The act empowers customers to raise grievances against unfair trade practices, deficient services, or unauthorised debits by payment gateways.
8. The Foreign Exchange Management Act, 1999 (FEMA): The cases where cross-border payments or inward/outward remittances, FEMA governs such operations. Any payment gateway that facilitates foreign transactions must ensure compliance with the RBI's Master Directions on the Import and Export of Goods and Services and have the approval of the AD Banks.

Eligibility Criteria for Payment Gateway (PA) License

In order to obtain the Payment Gateway License in India, the entity must fulfil the below-mentioned eligibility criteria specified by the RBI:

1. Incorporation and legal status

The applicant must be:

• A company incorporated in India under the Companies Act, 2013.
• A new applicant must have a clear object clause in its Memorandum of Association (MoA) for operating as a Payment Aggregator 

2. Minimum net worth

• ₹15 crore at the time of application.
• Must increase to ₹25 crore within three years of operation.

3. Promoters and directors must

• Qualify under the fit and proper criteria prescribed by RBI.
• Not be convicted of any financial crime or regulatory violation.

4. System audit

The applicants must:

• Have a functioning and interoperable technology infrastructure.
• Submit an audit certificate from a CISA-qualified (Certified Information Systems Auditor) professional.
• Demonstrate robust cybersecurity systems, data encryption, and fraud management mechanisms compliant with RBI’s Cyber Security Framework for Payment Systems (2022).

5. No access to customer funds

Payment Gateways do not handle funds. If an entity seeks to operate as a Payment Aggregator and handle customer funds, it must comply with:

• Escrow account maintenance with a scheduled commercial bank.
• Daily settlement obligations.

6. Merchant onboarding policy

Applicants must adopt a documented and Board-approved policy for:

• Merchant due diligence
• Risk assessment
• KYC compliance as per RBI’s Master Directions on KYC, 2016

7. Compliance with FEMA and FDI Norms

If the applicant receives foreign direct investment, it must comply with:

• FEMA, 1999 regulations
• FDI caps as notified by DPIIT

8. No Co-mingling of Funds

PAs must not co-mingle funds of different merchants and must ensure proper reconciliation of each transaction.