Understanding the Payment Gateway Legal Compliance and Regulations in India

The volume and frequency of digital transactions are fast surpassing that of cash transactions in India. Online shopping and remote services have received a massive boost in the aftermath of the Covid-19 pandemic. A seamless checkout procedure for online payments on an e-commerce website or app has become a dire necessity. This can only be facilitated via a reliable payment gateway that complies with the latest Indian regulatory framework. This includes laws concerning both online transactions and payment gateways in particular.

An Overview of the Payment and Settlements Act 2007

As of today, the Payment and Settlements Act 2007 is the main law governing payment gateways. It provides directives for the creation, set-up, and functioning of a payment gateway. All payment service providers, as well as merchants, are law-bound to abide by the guidelines listed under this act. Here is an overview of the Payment and Settlement Act 2007:-

  • Section 4 of this Act enlists the RBI guidelines that all payment gateways, digital wallets, and payment aggregators need to follow.
  • To seek RBI authorization, the payment gateway company has to apply to the DPSS (Department of Payment and Settlements Systems). The application has to be submitted with a properly filled Form A.
  • Along with KYC documents, two other compliances are necessary. These include the CFT (Combating the Financing of Terrorism) and AML (Anti Money Laundering) compliances.
  • To affirm that the payment gateway does not deal with black money, the company must file STRs periodically. This is short for Suspicious Transaction Reports, which are regularly reviewed by the FIU (Financial Intelligence Unit).

Settlement of Disputes under the Payment and Settlements Act 2007

There are highly elaborate rules for the fair settlement of disputes under this act. For payment gateway service providers, merchants, and consumers, these regulations provide ample scope for reaching amicable solutions. The salient points under this ‘resolution of disputes’ clause are as follows:-

  1. Firstly, the service provider needs to have ample provision for the timely resolution of disputes. This should be carried out by setting up an impartial panel.
  2. If the expert panel is unable to resolve the dispute to the satisfaction of the complainant, the latter can approach the RBI.
  3. Under most circumstances, the ruling of the RBI in the matter should be considered final. Only if the RBI itself is a party to the dispute, the Central Government will take on the case as deemed necessary.
  4. Section 25 of the Payment and Settlements Act 2007 explicitly mentions the dishonor of electronic funds transfer. It is equated with cheque dishonor (goes way back to the Negotiable Instruments Act 1881). Hence, engaging in fraudulent electronic transactions will invite the same legal recourse as that of conventional cash or cheque-related fraud.
  5. Furthermore, Section 26 to 30 enlists the fines applicable if a payment service is provided without proper authorization. It also elaborates on the transparency and accountability aspects. All transaction reports and documents should be available for scrutiny at any given point in time.

PCI DSS Compliance for Payment Gateways

Since payment gateways enable both debit card and credit card payments, their operations come under the purview of PCI DSS. This stands for Payment Card Industry Data Security Standards. These crucial regulations are followed by payment card networks worldwide. All merchant payment services that facilitate card payments must abide by these rules.

  • Both merchants and payment service providers must take note of the latest PCI DSS guidelines. These include security mandates and smooth onboarding procedures.
  • High emphasis is laid on fraud prevention and cardholder data security.
  • Regular updates are provided to enhance the cyber defense mechanism of payment service providers.
  • Several important validation tools are available on the PCI DSS portal to assess your payment gateway security standards.

Setting up Your Payment Gateway in India

As an integral merchant service, a payment gateway enables safe and hassle-free funds transfer from the buyer to the merchant. To ensure that the payment database is secure, setting up a payment gateway in India involves the following steps:-

  • Setting up a merchant account is the prerequisite for successful payment gateway creation. Hence, this is followed by setting up the payment gateway.
  • Liaising with the right IT and Finance Experts is necessary. Especially when you want to create a multi-faceted payment gateway like that of Plural Pine Labs or CCAvenue.
  • RBI authorization is the next crucial step, the details of which have been outlined above.
  • As an authorized payment gateway owner or service provider, you should ideally get registered as a private company. This registration falls under the purview of the Indian Companies Act 2013.
  • The standard documentation to legally register your payment gateway as a private company is applicable. This includes opening a current account, as well as furnishing PAN and GST details.
  • Based on the payment modes that the payment gateway intends to facilitate, the necessary licenses are required from banks. You can apply for a collective license as a merchant service provider or individual licenses as a payment aggregator.

Understanding the Process of RBI Authorization

Amongst the above legal guidelines/procedures to be followed by payment gateways in India, RBI authorization is the most crucial. The maximum span time taken to receive this authorization is 6 months, although it doesn’t necessarily take so long. RBI reserves the right to grant or deny authorization based on many factors. This discretionary process entails the following factors:-

  • How well-built, efficient and useful the payment gateway service is.
  • The terms and conditions are laid out for intended users of this payment service.
  • Ease of funds transfer enabled by the payment gateway.
  • Security compliance of the payment service that covers data security, theft prevention, and encryption levels.
  • Funding status, integrity, and track record of the management or owners.
  • Provision of credit-based payment services, along with other specific monetary policies.


As seen above, there are elaborate rules and regulations to regulate payment gateways and digital transactions in India. This has ensured strict security compliance on part of payment service providers, also urging them to resolve consumer grievances immediately. While this legal framework might seem complicated, it has boosted the reliability of payment services in India. This in turn has popularized digital payments on a mass scale, with an impending cashless economy in the coming years.

Related Posts