How to Start a Payment Aggregator License

service package

An Overview of Payment Aggregator License

Payment Aggregator is also recognised as Merchant Aggregator; basically, it is a service provider by which payments can be completed with the help of mobile and e-commerce merchants who can process payment transactions. A payment aggregator allows a merchant to accept bank transfers & payments through cards even without a bank account opening or a credit card association. Merchant aggregator delivers an inexpensive and more accessible way of making payments that can aid a small business get off the ground faster. One of the only purposes of a payment aggregator is to deliver an efficient payment solution that is a shortcut from established payment methods. Such payment aggregators consist of payment gateways, whereas payment gateways cannot consist of payment aggregators.

Who are Payment Aggregators?

A Payment Aggregator is a 3rd party service provider that allows merchants to accept payment from customers by integrating it into their apps or websites. In simple terms, a payment Aggregator brides the gap between acquirers & merchants.

  • They offer technologies to facilitate and direct the processing of an online transaction of payment and perform other functions without truly handling the finds;
  • They help the merchants in linking with the acquirers. In this process, they receive payments from clients and transfer payments to the merchants after a period. Besides handling the funds, they also get the right to use or access customer data;
  • They assist e-commerce sites and merchants in accepting different payment tools from the clients to finish their payment duties to the merchants. Here the merchants are not required to create a separate payment integration system of their own.

Benefits of a Payment Aggregator

  • It becomes an intermediary between the merchants and the clients;
  • The function of processing and completing the payment transactions is very easy;
  • Establishing a payment aggregator is very easy and straightforward. All it takes is signing up for the procedure of an e-commerce payment. It creates chances for more talents to enter the market & offers clients more options to buy;
  • Creation of settlement on one end and merchants on the other end;
  • The payment aggregator tends to deliver a suggestion for online transaction processing, with least or no start-up fees and fixed costs;
  • The process of an application is straightforward, which aids small businesses to function effortlessly;
  • It is a proficient and cost-effective process for a massive volume of smaller transactions.

Risks Related to Payment Aggregation

The payment aggregator activities in the online transaction include risks, which are as follows:

  • Lack of proper restore mechanism and consistency in practice across the companies is also a matter of concern;
  • Services of payment aggregation are also delivered by some of the e-commerce market places, which doesn't come under the direct regulatory influence of the Reserve Bank of India, which can be a massive concern for the payment aggregators. Therefore, it can be altered under double regulation;
  • Organisations might be the source of risk in such a client experience and technology rigorous business if they have inadequate governance practices, which may influence the client's experience & confidence;
  • The aggregators also handle sensitive data of the customer. Supervision data privacy and data of customers can be a huge task for payment aggregators. If the payment aggregators are not able to regulate the data, it can harm the risk of data loss and violate privacy;
  • A payment aggregator is also in danger of some transaction chargeback or fraud connected with its sub-merchants.

What are the Essential IT Requirements to Procure Payment Aggregator License?

Following are some IT security measures that the aggregators should adopt to obtain a Payment Aggregator License:

  • Data Security Standards

Data security standards such as PA-DSS, PCI-DSS also, the latest encryption standards & Transport Channel Security, etc., will be put into practice.

  • Risk Assessment

It should discover the threat or susceptibility combinations and the possibility of an impact on privacy, integrity or availability of that asset from a business, compliance & contractual standpoint.

  • Staff Capability

The resources should be well-trained with IT skills, and a periodic assessment of training needs should be conducted for them.

  • Payment Application Security

Such applications shall be developed accordingly to PA-DSS guidelines and should obey the précised guidelines. All the aggregators should examine the PCI-DSS compliance status as a part of their process of merchant onboarding.

  • Information Security Supremacy

The organisations must implement a comprehensive study of security risk assessment of their people, Information Technology (IT), and business process surroundings. It should recognise risk exposures with remedial measures and also enduring risks. Risk assessment reports, security compliances, security audit reports, and security incidents should be presented to the Board by the entities.

  • Access to Application

For managing an application system, the process shall be documented, which will be approved by the owner of the application and should be kept updated. The principle of least benefit and require to know will proportionate job responsibilities while accessing the application.

  • Requirement of Cryptographic

According to the international community of cryptographers, merchant aggregators shall opt for encryption algorithms to accept by trustworthy professional bodies, highly regarded security vendors or government agencies.

  • Data Control

The payment aggregators shall take some anticipatory measures to make sure they are collecting data in an infrastructure that doesn't belong to outside jurisdictions. Suitable controls will be considered to prevent unauthorised access to the data.

  • Data Protection in Outsourcing

An agreement of outsourcing shall be arranged offering the right to audit clause to enable Payment Aggregators or their appointed agencies and regulators to conduct security audits. Alternatively, the third party requires submitting an annual sovereign security review report to the payment aggregators.

  • Security Incident Coverage

Cybersecurity incidents shall be reported by the aggregators to the regulator within 2 to 6 hours duration. Payment Aggregators should have an agreement with the merchants on security incident coverage.

  • Forensic Readiness

All security events from the infrastructure of aggregators consisting of middleware, application, servers, endpoint authentication, database, log files, web services, and cryptographic events shall be collected, investigated and examined for the positive recognition of security alerts.

  • Cyber Security Review and Reports

The companies submit to the IT Committee quarterly internal and annual external examination reports.

Basic Requirements for Payment Aggregator License

Following are some basic requirements for a Payment Aggregator License:

  1. Address proof of the business;
  2. New Payment Aggregators shall have a minimum net worth of Rs. 15 crores during the application for the authorisation and shall attain a net worth of Rs. 25 crores shall be maintained at all times thereafter;
  3. Payment Aggregators must submit a certificate in the enclosed format from their CA (Chartered Accountants) to evidence compliance with the applicable net-worth requirement when they are submitting an application for authorisation.
  4. Newly registered non-bank entities that may not have an audited statement of financial accounts must submit a certificate in the enclosed format from their CAs regarding the current net worth along with a provisional balance sheet;
  5. Minimum 3 directors & 2 members are required;
  6. Payment Aggregator organisation must have complied with PCI DSS Compliances.

What are the Vital Documents required for Procuring a Payment Aggregator License?

Following are some vital documents required for procuring a Payment Aggregator License:

  • Submit a Certificate of Incorporation issued by the ROC or Registrar of Companies;
  • DIN (Director Identification Number) and DSC (Director Signature Certificate) of all the proposed directors;
  • Details of the company’s bank account;
  • Address proof of PAN Card of the directors;
  • Next five years of the business plan of the company;
  • Submit any address proof of the business place;
  • Code testing information by a software agency.
  • An Audited Balance sheet of the last 2 years or since the business has been incorporated.

Procedure for Getting Payment Aggregator License

Companies willing to carry out Payment Aggregator License should undertake the following steps:

  • Step 1: Companies should be incorporated under the Companies Act, 2013.
  • Step 2: Authorisation should be obtained from the Reserve Bank of India under PSS Act.
  • Step 3: Capital requirement of Rs. 15 crores (Net-worth), which requires to be increased to Rs. 25 crores within three years of its operation.
  • Step 4: An appropriate mechanism should be prepared against money laundering.
  • Step 5: Should appoint a nodal officer for client complaint redressed framework or dispute management framework.
  • Step 6: In case the company is a bank, authorisation should be attained under PSS Act.
  • Step 7: This Act has established guidelines to penalise defaulters for not attaining authorisation from the Reserve Bank of India.

Post Compliances of Payment Aggregator License in India

Payment Aggregators should submit the report on a monthly, quarterly, or annual basis after obtaining a Payment Aggregator License, which is explained below:

  • Monthly Report


Last Date

Transactions Statistics

7th of the next month

Frauds Report

7th of the next month

Cyber Security Incident Reports with full root cause study

7th of the next month

  • Quarterly Report


Last Date

Certificate of Auditors on Escrow Balance

15th of the month next quarter-end

Certificate of Bankers on Escrow Account Credits and Debits, which should be within audited

15th of the month next quarter-end

For marketplaces certificate of the auditor on nodal accounts

15th of the month next quarter-end

Customers Complaints Report by 15th of the month of the following the quarter-end

15th of the month next quarter-end

Cyber Security Audit Report

15th of the month next quarter-end

  • Annual Report


Last Date

Audited yearly report attached with a Chartered Accountant Certificate on Net-worth

30th September

Cyber Security Audit and IS Audit Report are renowned with observations consisting of corrective or preventive action planned and should be audited outwardly.

31st May

Net-worth Certificate

31st December

  • Non-Periodic Reports
  1. In case there is any alter in BODs (Board of Directions);
  2. A one-time technical audit or review, also whenever a foremost alter is about to be made.

Penalties Arranged under PSS Act, 2007 for Payment Aggregators

As per the PSS Act, 2007, the following acts will be penalised:

  • Functioning of a payment aggregator system without permission;
  • The Reserve Bank of India (RBI) can also be charged a fine for a certain violation under the PSS Act;
  • When the merchant aggregator didn’t produce statements;
  • Infringing any rules, orders, guidelines, regulations, etc. approved by the Reserve Bank of India are offences punishable for which RBI can begin a criminal hearing;
  • Where the payment aggregator delivers any wrong information or statement;
  • In case of any let-down by the aggregator to obey the terms of license authorisation;
  • Discover any forbidden information or non-compliance with directions arranged by the Reserve Bank of India or infringing any of the Act's provisions.

What is the Difference Between Payment Aggregator and Payment Gateway?


Payment Gateway

Payment Aggregator





This is owned by Private and Public Banks, Vendors, Merchants, and Aggregators.

Owned by Fintech Players.

Payment Options

Particular or limited Payment Options.

Various multiple payment options.


Authorisation of RBI under the Payment and Settlement Systems Act, 2007 (PSSA).

They need the necessary certification as per the Payment Card Industry-Data Security Code (PCI-DSS).

Small Businesses

Fees for transactions offered by the Payment Gateways are too difficult and high.

Payment Gateways use Payment Aggregators able to deliver services to small businesses.

The success rate of payment

As much as the gateway can manage.

Considerably higher payment success rate.

Touchpoints Digitised

Online touchpoints consist of apps or websites.

Online & Offline touchpoints.

Frequently Asked Questions

In banking, an aggregator plays as a third party, a mediator between the merchants and the clients.

  • Cashfree.
  • Paytm,
  • CC Avenue.
  • Mobikwik.
  • Instamojo.

Payment Aggregator is also recognised as Merchant Aggregator; basically, it is a service provider by which payments can be made successfully with the help of mobile and e-commerce merchants who can process payment transactions. A payment aggregator allows a merchant to accept bank transfer & payments through cards even without a bank account opening or a credit card association.

Yes, it is a Payment Aggregator.

Paytm is a Payment Gateway assists business accepts online payments from customers.

To become a Payment Aggregator, both non-bank and bank providers require to have an authorisation of the Reserve Bank of India; it should be a company registered in India and have to contain payments data, having a net capital of worth Rs. 15 crores.

Aggregators are owned by Fintech entities, whereas Payment Gateway can be owned by the banks, vendors, merchants, etc.

Why Swarit Advisor?

Why Swarit Advisor
Swarit Advisors Private Limited


From Toronto Recently Purchased @FSSAI Basic