DigiFortex, as a CERT-In empaneled cybersecurity expert, helps banks meet RBI’s Payment Aggregators & Payment Gateways audit requirements with precision and expertise. We support financial institutions in identifying security gaps, establishing robust monitoring systems, and ensuring full regulatory compliance. With our guidance, banks can confidently secure their systems, protect customer data, and stay resilient against evolving cyber threats.
Our team of skilled auditors and consultants prioritizes transparency, accuracy, and actionable insights, helping you not only meet compliance but also enhance the integrity and resilience of your information systems. DigiFortex goes beyond basic auditing by offering guidance to strengthen your IT processes, protect assets, and secure data integrity, ensuring your systems function effectively under all conditions.
Request free consultation - Click Here
What is Payment Aggregators & Payment Gateways (PA/PG) Audit?
On March 17, 2020, the RBI released new guidelines for regulating Payment Aggregators and Payment Gateways. These guidelines require these entities to obtain authorization from the RBI for settling payments with merchants within a specified transaction time.
The "Guidelines on Regulation of Payment Aggregators and Payment Gateways" outline the RBI's decision to fully regulate payment aggregators and provide foundational technology recommendations for payment gateways. The purpose of these guidelines is to support payment aggregators with essential technology standards for secure transaction processing.
With these new regulations, Payment Aggregators and Payment Gateways are now subject to RBI oversight to enhance the safety of online transactions. Key aspects of these guidelines include:
- Payment Aggregators must implement baseline technology standards, such as data security, cybersecurity audits, incident reporting, and comprehensive IT policies.
- Clear policies are required for merchant onboarding, privacy policies, customer grievance redressal, and adherence to the Prevention of Money Laundering Act (PMLA) of 2002.
- E-commerce companies engaged in payment aggregation must obtain an authorized license and create a separate entity for their Payment Aggregator functions.
- Non-bank Payment Aggregators must be standalone entities incorporated under the relevant organizational act, with Payment Aggregator activities as part of their structure.
- Non-bank Payment Aggregators must notify the RBI’s Chief General Manager within 15 days of any significant ownership change, acquisition, or management shift.
- The RBI also provided an authorization format, which includes requirements for net-worth certification, director undertakings, auditor certifications, escrow account balances, and monthly transaction data storage by Payment Aggregators.
- Non-bank Payment Aggregators are required to have a minimum net worth of ₹15 crore, increasing to ₹25 crore by the end of the financial year.
Our Proven Audit Approach
Our detailed audit process ensures that your payment systems meet regulatory standards, while also strengthening your organization’s security posture.
Business Understanding: We begin by evaluating your business processes and environment to identify all relevant in-scope elements.
Audit Scope Finalization: A detailed questionnaire is shared with your teams to collect evidence on architecture, implementation, and controls.
Initial Audit: We assess your infrastructure to identify all storage locations containing payment-related data.
Risk Assessment: Our team conducts a risk analysis of your information security posture, highlighting potential vulnerabilities.
Data Flow Assessment: A comprehensive analysis is performed to understand data flow and detect any potential leakage points.
Remediation Support: We provide actionable solutions to address compliance challenges and strengthen your systems.
Scans and Testing: We perform rigorous testing to uncover critical vulnerabilities in your system.
Evidence Review: Evidence collected is reviewed to evaluate its maturity and alignment with compliance requirements.
Final Audit: A thorough examination is conducted to ensure all identified vulnerabilities are addressed and the system is secure.
Concise Reporting: Our team delivers a detailed report covering all findings and insights from the assessment cycle.
Why DigiFortex?
As a CERT-In empaneled and ISO 27001:2022 certified organization, DigiFortex is globally recognized in providing Information Security consulting. Our team started McAfee in India and holds 17 US patents.
Our team is composed of globally certified experts, including ISO 27001 Lead Auditors for Information Security, Certified Information Privacy Professionals for Europe (CIPP/E) from the International Association of Privacy Professionals (IAPP), DSCI Certified Privacy Lead Assessors (DCPLA), CCSA, CISM, CISA, ISO 27001 LA, CEH, CRTP and more. Backed by diverse industry experience, our professionals provide comprehensive security and privacy solutions tailored to meet the highest standards.
A small glimpse of DigiFortex’s globally recognized work
-
Completed the Prepaid Payment Instrument (PPI) audit for Amazon Pay, which included:
- IS Audit (Information System Audit)
- V-KYC (Video-based Know Your Customer)
- VAPT (Vulnerability Assessment and Penetration Testing)
- SAR (Security Assessment Report)
- RBI Data Localization compliance
- Conducted security assessments for the #1 U.S. financial institution, covering 17 of their websites across 17 countries.
- Performed a comprehensive Cloud Security Assessment for HDFC Bank.
- Provided IT audit services for the integration of HDFC’s system with the Government of India’s Solar Energy Corporation of India (SECI).
- Selected by Indian Bank to conduct a full security assessment of their data centers in Chennai and Mumbai.
Request free consultation - Click Here
