What is Payment Gateway License?

Payment Gateway is a financial service and is provided via an e-commerce application service provider. We all know about that the popularity of online shopping in India is majorly due to the ease and flexibility that this platform offers.

Besides, even the payment of bills, recharges, etc., has taken the online route. When we purchase something online or pay a bill, when we click on “pay now”, we are directed to a new page. This is the payment gateway site of the website on which we are making the payment for goods/services.

The payment gateway acts as an intermediary between the website that facilitate the communication of transaction information and the banks. It produces the information from the buyer bank and supplies this information to the receiving bank and notes its feedback as to whether the transaction has been approved or declined.

License for Payment Gateway Business in India

As per Section 4 of the PSS Act, no person except the RBI can either operate or commence a payment system. Application for authorization to the RBI is required to be made under Section 5 of the PSS Act.

Advantages of Payment Gateway License

In India, the advantages of using a payment gateway license are as follows:

• PCI- DSS Wallet

  The PCI-DSS Wallet compliance gives security to the users by securing their data in the gateway or portal for recurring payments. For instance, a person who is a regular customer on Amazon can save his/her bank account details on Amazon’s application or website, and the gateway protects it from any cybersecurity threat.

• White Label Wallet

  Some payment gateways allow customers to make digital transactions through mobile wallet applications. This is the latest trend, as this enables the users to do all their operations from one place. One can transfer the amount from the bank account to the mobile wallet application and then use it for payments on other mobile apps or websites.

• Fraud Screening Tools

  Some Payment Gateways provide their customer with the FST (Fraud Screening Tools) for minimising the risk of losing data. These tools include CCV (Card Code Value), CVV (Card Verification Value) and AVS (Address Verification Service). The primary aim of these tools is to ensure that there is no fraudulent transaction. Further, another significant advantage of a payment gateway is that it allows transactions from multiple users at the same time. This indeed makes it feasible for a customer to purchase or sell goods and services whenever he/she wants.

How does Payment Gateway Work?

Once a customer has placed an order from an online portal, there are a series of tasks that are conducted by the Payment Gateway which are discussed as follows:

• Encryption

  The browser used by the customer encrypts the data that has to be sent to the vendor’s server. The payment gateway then sends the transaction data to the payment processor.

• Authorization Request

  Once the payment processor receives the data, it transmits the same to the card association. The Bank that has issued the card checks the transaction at this point and denies or agrees to it, accordingly.

• Filling the Order

  If the Bank agrees to the transaction, the authorization relating to the customer and the merchant is forwarded to the processor of the Payment Gateway. After response from the processor is received, the same is transmitted to the website for processing of the payment. This way the information is interpreted and the payment is generated. The entire process of payment takes time of a few seconds only.

Additional Services Offered by Payment Gateways

Apart from facilitating quick payments, the `payment gateways also offer the following services:

• Delivery Address verification
• Advanced Visual System checks
• Computer Finger Printing Technology
• Velocity Pattern Analysis
• Identity morphing detection
• Calculation of tax for authorization of request transmitted to the processor

What are the Vital Components of the Payment Gateway?

The main components of the Payment Gateway are:

• Merchant Agreement

  This is the contract between the payment service provider and the business. Each party that is involved in the online transactions is guided by the responsibilities and the rules that have been mentioned under this agreement, in context to acceptance of payment, authorization, processing and settlement.

• Secure Electronic Transaction (SET)

  Secure Electronic Transactions are provided by the main providers of the electronic transactions, like Visa and MasterCard. The customers are protected by way of SET as it allows the merchants to verify the payment information without actually seeing it. The information on the card is directly received by the card issuer for verification.

Laws Governing the Payment Gateway

The Payment and Settlement System Act, 2007 (PSS Act) was enacted for the purpose of regulation and supervision of payments system in India by the Reserve Bank of India, which shall be the primary authority for the purposes and all the matters that fall under the purview of this Act. There are two regulations that have been made under this Act by the RBI, namely:

• Board for Regulation and Supervision of Payment and Settlements System Regulations, 2008, which mainly deals with the constitution and composition of the Board for Regulation and Supervision of Payment and Settlement System (BPSS) and a Committee of RBI’s Central Board of Directors.
• Payment and Settlement Systems Regulations, 2008, which deals with matters such as application for authorization of commencing payment system, granting such authorization, instructions related to payments, standards to be maintained in payment system, furnishing of relevant documents, financial information, etc.

Basic Requirements for Payment Gateway License

• The entity must be registered under the Companies Act, 1956 or the Companies Act, 2013
• A minimum of two members or directors
• Address proof of the business
• 5 years business plan
• PAN and Current Account of the company
• System Flow and Code Testing Report by Software certifying agency
• Service Tax Registration Number
• Compliance with PCI DSS

Note: The compliance with Payment Card Industry Data Security Standard (PCI DSS) is one of most important compliances required by the Payment Gateway Business. PCI DSS consists of widely accepted set of rules and regulations which are focused towards optimizing the security of the online transactions and protect the cardholders from fraud. Its aim is to improve payment account security in the entire process of online transactions. Getting a payment gateway license is very hard since it requires fulfilling certain software related compliances as well apart from the regulatory compliances.

Types of Payment Gateway License

Payment Gateway providers allow businesses to take payment from both National and International Customers in Indian National Rupees. The methods by which these providers accept payment include through Credit or Debit Cards and Net-banking methods.

In India, the two categories of Payment providers are:

• Second Party Providers

  This option is costly and expensive for start-ups and small businesses in their initial phase. The Transaction Discount Rate (TDR) is less for the prescribed providers, but the set-up cost is high.

• Third Party Providers

  The instances for this type of provider are PayU, CC Avenue, EBS. These providers charge both an annual and a set-up fee. The TDR for this type of provider is around 2% to 4%.

Capital Requirements for Payment Gateway License

In India, the capital requirements to obtain a payment gateway license are:

• Only NBFCs (Non-Banking Financial Companies) and banks that abide to the Capital Adequacy Requirements specified by the Apex Bank will be allowed to issue prepaid payment instruments.
• All the other entities must have a minimum NOF (Net Owned Funds) of Rs 10 lakhs.
• The entities that are authorised under the Foreign Exchange Management Act(FEMA) to issue foreign exchange PPIs (Prepaid Payment Instruments) are exempted from the ambit of RBI guidelines. The use of such PPIs will be limited to the permissible current account transactions and subject to the specified restrictions under the Foreign Exchange Management (Current Account Transactions) Rules, 2000, as amended from time to time.

Documents required for Payment Gateway License

The documents needed to obtain a Payment Gateway License in India are as follows:

• A copy of COI (Certificate of Incorporation) of the Company received from ROC (Registrar of Companies);
• PAN Card Details and Address proof of the Directors;
• DSC (Digital Signature Certificate) and DIN (Director Identification Number) of the directors;
• Address proof of the Registered Address;
• Details of the Company’s Bank Account;
• Company’s Business plan for the next five years;
• Report on Code testing by a Software Agency.

Procedure for Payment Gateway License

For obtaining Payment Gateway License in India follow the steps described below:

• Step 1

  File an applicationin the prescribed Form A as per Section 5(1) of the PSS Act. This application shall be made to the Chief General Manager of Department of Payment and Settlement Systems at Central Offices of the RBI at Mumbai, or such other offices of the RBI as may be specified by it from time to time.

• Step 2

  As per Section 6, the RBI’s approval for granting the authorization is discretionary. The RBI has the power to hold such inquiries as it may consider necessary for the purpose of satisfying itself about the authenticity of the details that have been submitted by the applicant and for checking the credentials of the involved participants.

• Step 3

  The RBI shall take the following conditions into account before issuing the authorization:

1. The requirement for proposal payment system or the services that have been proposed to be undertaken by it;
2. The technical standards that have been set for the payment system or the structure of the proposed payment system;
3. The terms and conditions, including any security procedure, for operation of the proposed payment system;
4. The way in which the transfer is done in the given payment system;
5. The manner for netting of payment instructions that affect the payment obligations under the payment system;
6. The management’s financial status experience and the integrity of the applicant;
7. The terms and conditions that govern the relationship of the customers with the payment providers;
8. The credit and monetary policies;
9. Time frame for authorization.

• Step 4

  If RBI is satisfied that all the requirements a laid down in Section 7(1) are fulfilled, it may issue the Authorization Certificate in Form ‘B’ for commencing and carrying on a payment system to the applicant. The authorization shall take effect from the date as mentioned by the RBI and as per the conditions that have been imposed by the RBI.

• Step 5

  As per Section 4 of the PSS Act, the RBI is required to process the application of authorization at the earliest with a maximum time limit of six months from the date on which the application for authorization has been filed.

How Payment Gateways keeps Information Secure

The steps that a payment gateway follows for securing information can be summarised as:

• Firstly, the complete transaction is done by an HTTPS web address. HTTPs are different from HTTP as the “S” in HTTPS stands for “secure”. The sale is also made through this same tunnel.
• The mechanism uses a signed request as a result of the hash function. This signed request validates the request for the transaction. Further, the signed request is only known by the merchant and the payment gateway, thereby known as a private thing.
• For securing the payment page of the process, the IP of the requesting server should be verified for detecting any malicious activity.
• A VPA (Virtual Payer Authentication) is something that issuers, acquirers and payment gateways are using to secure the payment process. A VPA which is implemented according to the 3-D secure which protocol adds an extra layer of security and also assists the online buyers and sellers for validation and authentication purposes.

IT Requirements for Obtaining Payment Gateway License

In India, the IT requirements for obtaining Payment Gateway License are:

• Information Security Governance

  All the businesses must carry out a thorough security risk assessment of their clients to identify risk exposures with remedial measures and residual risks;

• Data Security Standards

  All the businesses must implement best practices concerning data security standards such as PA-DSS and PCI-DSS. The latest encryption standards must also be implemented.

• Security Incident Reporting

  All the business must report any security incidents and cardholder breaches to the RBI (Reserve Bank of India) within the specified time.

• Merchant on-boarding

  All the businesses must undergo a complete security assessment during the process of merchant on boarding. This process is done to make sure that minimal baseline security standards are followed by the merchants.

• Cyber Security Audit and Reports

  All the business entities must carry out and submit a quarterly internal and external audit. After that, they must submit the report to the IT Committee. Further, they need to submit bi-annual VAPT (Vulnerability Assessment or Penetration Test) reports; PCI-DSS comprising of AOC (Attestation of Compliance) and ROC (Report of Compliance) compliance report with the observations noted if any including preventive or corrective actions planned with action closure date.

• Staff Competency

  All the business resources must have a clear understanding, experience and training for the IT function.

• Vendor Risk Assessment

  The SLAs (Service Level Agreements) for support of technology comprising of BCP-DR and the data management must definitely include clauses that allow regulatory access to these set-ups.

• Maturity and Roadmap

  The businesses must regularly assess their IT maturity level according to the international standards or design an action plan and then execute the plan for reaching the target maturity level.

• Cryptographic Requirement

  All the businesses must choose an encryption algorithm as a well-established international standard. However, the same has been subjected to severe inspection by an international community of cryptographers.

• Data Sovereignty

  All the businesses need to take preventive measures to ensure that storing data in the infrastructure that does not belong to any external jurisdiction.

• Data Security in Outsourcing

  There must be an agreement relating to outsourcing providing the ‘right to audit’ clause to authorize the entities or their appointed agencies and regulators for conducting security audits. Alternatively, the third parties must submit annual independent security audit reports to the businesses.

• Payment Application Security

  Payment applications must be developed as per PA-DSS guidelines and as per the requisite requirement. The business must review the PCI-DSS compliance status as a part of the merchant on boarding process.

FAQs of Payment Gateway License