Requirements for Payment Gateway License: A Complete Guide

Requirements for Payment Gateway License
Shivani Jain
| Updated: Feb 19, 2021 | Category: Payment Gateway System, RBI Advisory

In India, the popularity of online shopping and e-commerce is continuously increasing at a significant rate. The reason behind the same is the ease and flexibility offered by Payment Gateways. It is mandatory for every online portal to obtain payment gateway license from RBI if it wants to deal in the payment of bills, recharges, etc. In this blog, we will be discussing in detail about the concept and requirements for Payment Gateway License.

Concept of Payment Gateway

The term Payment Gateway denotes a financial service, which is provided by an e-commerce application service provider. It acts as an intermediary between the banks and the website that provides the communication of transaction or payment.

Further, it collects details from the buyer’s bank and supplies the same to the receiving bank and notes its response as to whether the said transaction or payment has been approved or not.

Also, Read: Meaning and Process of Online Payment Gateway in India 2020

Working of Payment Gateway

Once a customer has placed an order from an online application or portal, a series of actions as given below will be taken by the Payment Gateway:

Working of Payment Gateway

Encryption of Data

In this step, the browser used by the customer will encrypt the data which has to be sent to the vendor’s server. After that, the said payment gateway then sends the transaction details to the payment processor.

Request for Authorisation

Once the data is received by the payment processor, it will transmit the same to the card association. After that, the bank that has issued the card will check the transaction at this point to either agree or deny it accordingly.

Filing the Order

Once the bank agrees to the transaction, the authorisation concerning the merchant and customer will then be forwarded to the payment gateway’s processor.

Further, after receiving the response from the processor, the details will be forwarded to the website for processing the payment.

Additional Services Offered by Payment Gateway in India

The additional services offered by a payment gateway in India can be summarised as:

Additional Services Offered by Payment Gateway in India
  • Delivery Address Verification;
  • Computer Visual Systems Checks;
  • Advances Visual System Checks;
  • Velocity Pattern Analysis;
  • Identify Morphing Detection;
  • Tax Calculation for the Authorisation of Request transmitted to the Processor;

Types of Payment Gateway License

The different types of Payment Gateway License are as follows:

Types of Payment Gateway License

Second Party Providers

This type of Payment Gateway License is very costly and expensive for small businesses and start-ups in the initial phase. Although the TDR (Transaction Discount Rate) is less for specified providers, but the setup cost is high.

Third Party Providers

The term Third Party Providers means a type of provider that charge both the annual and set up fee. In this case, the TDR will be around 2% to 4%.

Further, the examples of this type of provider are CC Avenue, PayU, and EBS.

Legal Requirements for Payment Gateway License

Based on the provisions of section 4 of the Payments and Settlement System Act 2007, no one except the RBI has the authority to start or operate a payment gateway mechanism in India.

However, if in case an entity wants to start a Payment Gateway, then, in that case, it needs to obtain authorisation from RBI by filing an application for Payment Gateway License under section 5 of the Payments and Settlement System Act 2007.

Basic Requirements for Payment Gateway License

The basic requirements for Payment Gateway License are as follows:

  • The applicant entity must be registered under the provisions of Companies Act 2013 or the Companies Act 1956;
  • Needs a minimum of two members;
  • Needs a minimum of two directors;
  • Address Proof for the Registered Office;
  • 5 years Business Plan;
  • PAN Card details of the company;
  • Current Account details of the company;
  • System Flow and Code Testing Report by a Software Certifying Agency;
  • Compliance with PCI DSS;
  • Service Tax Registration Number;

Capital Requirements for Payment Gateway License

The capital requirements for payment gateway license are as follows:

  • The banks and NBFCs that abide by the guidelines concerning CAR (Capital Adequacy Requirements), as specified by the Apex Bank, will only be permitted to issue prepaid payment instruments;
  • All the other entities need to have at least Rs 10 lakhs as the NOF (Net Owned Funds);
  • The entities that have authorisation under FEMA 1999 to issue Prepaid Payment Instruments are exempted from the RBI guidelines. Also, in this case, the usage of PPIs is limited to the permissible current account transactions and are subject to restrictions prescribed under the Foreign Exchange Management (Current Account Transactions) Rules 2000;

IT Requirements for Payment Gateway License

The IT requirements for Payment Gateway License in India are as follows:

Information Security Governance

It is mandatory for all the businesses and entities to carry out a comprehensive security risk assessment of their respective clients. The reason behind the same is to timely determine the risk exposures, residual risks and remedial measure.

Data Security Standards

It is advisable that all the businesses must employ best practises regarding the data security standards, such as the PA DSS and PCI DSS. Also, it shall be significant to note that the latest encryption standards must be implemented as well.

Security Incident Reporting

It is necessary for every business to report the incidents of security and cardholder breaches to the Reserve Bank of India within the time prescribed.

Merchant On-boarding

All the businesses need to undergo a comprehensive security assessment during the course of merchant on-boarding. Also, the main aim behind the said process is to make sure that merchants are properly following the minimal baseline security standards.

Cyber Security Audit and Reports

It is mandatory for all the businesses to carry out and furnish quarterly internal and external audit. There after they need to submit the same to the IT Committee.

Further, the other reports required to be submitted are as follows:

  • Bi annual VAPT (Vulnerability Assessment or Penetration Test) Report;
  • ROC (Report of Compliance);
  • PCI – DSS including AOC (Attestation of Compliance);

Staff Competency

It is necessary for every business that is holding a payment gateway license to have a clear understanding, training, and experience for the IT Function.

Vendor Risk Assessment

Service Level Agreements are necessary to support the technology comprising of the Data Management and BCP DR. Also, an SLA must include the clauses that permit the regulatory access to these set ups.

Cryptographic Requirement for Payment Gateway License

It is necessary for every business entity to choose Encryption Algorithm as a well formulated International Standard. However, it shall be significant to state that the said standards will be subject to inspection by the International Community of Cryptographers.

Maturity and Roadmap

All the business entities must regularly assess and check their IT Maturity Level based on the International Standards. Also, they can design a comprehensive action plan and can execute the plan accordingly to achieve the target maturity level.

Data Security in Outsourcing

All the businesses must have an agreement concerning outsourcing. Further, the said agreement need to have a clause named “right to audit” to authorise the entities and their appointed agencies and regulators for carrying out security audits. On the other hand, third parties are required to furnish the annual independent security audit reports to the businesses.

Data Sovereignty

All the business entities need to implement preventive measures to confirm that the data stored in infrastructure does not belong to any external jurisdiction.

Payment Application Security

All the entities need to draft the application for payment gateway license based on the PA DSS guidelines and requisite requirements. Further, they need to review the PCI DSS compliance status as a part of the merchant on-boarding process.

Documents Required for Payment Gateway License

The documents required for Payment Gateway License are as follows:

  • A copy of the Certificate of Registration;
  • PAN Card Details of the Applicant Company;
  • Digital Signature Certificates for Directors;
  • Director Identification Number for Directors;
  • Address for the place being used as Registered Office;
  • Current Bank Account details form the respective bank;
  • Business Plan of the Company for the next five years;
  • System Flow and Code Testing Report by a Software Certifying Agency;


In a nutshell, Payment Gateway means an intermediary between the bank and the website providing transaction facility. Further, except the Reserve Bank of India, no one has the authority to start a payment gateway in India, until the same has filed an application for the license under section 5 of the Payments and Settlement System Act 2007 with the apex bank.

However, an applicant who wishes to obtain the license for the RBI needs to first comply with the Requirements for Payment Gateway License. Further, the term Requirements for Payment Gateway License are divided on the basis of Basic, Legal, Capital, and Information and Technology Requirements.

Also, Read: Top 5 Best Payment Gateway Systems in India

Spread the love
Shivani Jain

Shivani has completed her B com LLB (Hons) and has the experience of writing various research papers during her college time. Earlier she was working as an Associate in a Delhi based Law Firm, but her interest in writing made her pursue Legal Content Writing as a career. Her core area of interest is in writing about various legal enactments, tax, and finance.


Related Articles

Scale-Based Regulations for NBFC
| Date: Aug 01, 2022 | Category: NBFC

Scale-Based Regulations for NBFC: New Classification

The Reserve Bank of India, through its circular released on the 19th of April earlier this year, laid out guidelines relating to advances by NBFCS and the mandatory disclosures they...

Read More
RBI Extends Time Limit for Authorisation
| Date: Mar 22, 2021 | Category: News, RBI Advisory

RBI Extends Time Limit for Authorisation under Umbrella Entity of Retail Payments

Recently the Reserve Bank of India (RBI), by way of Press Release No 2020 – 2021/ 1161, issued on 26.02.2021, has directed an extension in the Time Limit for Authorisation...

Read More
Ideal NBFC Software
| Date: Jun 11, 2021 | Category: NBFC

Ideal NBFC Software: Authorising NBFCs to Simplify Workflow

The Non-Banking Financial Company sector is flourishing at a quick speed. NBFCs are the financial path that facilitates financial services and banking services without having a banking license. Non-Banking Financial...

Read More


Hi! My name is Akanksha! Let's talk.