RBI Approved Payment Gateway: Compliance Rules Every Merchant Must Know
Highlights:
- Understand the difference between payment aggregators requiring RBI authorisation and payment gateways with recommended compliance standards
- Verify your payment partner meets ₹15-25 crore net worth requirements, ensuring financial stability for merchant settlements
- Learn the critical December 31, 2025, authorisation deadline and February 28, 2026, wind-down date for non-compliant providers
- Discover merchant obligations, including card data storage prohibition and PCI DSS compliance verification responsibilities
Introduction
Every online sale ends at one critical point: payment collection. If that payment fails, settles late, or runs through a non-compliant partner, your revenue is at risk. Many merchants focus on pricing, ads, and conversion rates, but overlook the compliance strength of their payment provider.
That can be costly.
The Reserve Bank of India (RBI) regulates payment systems to protect merchants, consumers, and the wider financial ecosystem. In 2025, the RBI issued a consolidated framework for Payment Aggregators. For merchants in 2026, choosing an RBI-approved payment gateway or authorised payment partner is no longer optional. It is a business necessity.
Understanding Payment Aggregators vs Payment Gateways: What Merchants Must Verify
The terms "Payment Gateway" (PG) and "Payment Aggregator" (PA) are often used interchangeably. However, the RBI draws a sharp regulatory line between them. A payment gateway is essentially the software bridge. It securely transfers customer data from your website to the processor. It does not touch the actual money.
In contrast, a payment aggregator is a service provider that actually handles the funds. They consolidate multiple merchant accounts and manage the settlement of money into your bank account. Because PAs handle public money, they must receive a formal Certificate of Authorisation from the RBI.
| Feature | Payment Gateway (PG) | Payment Aggregator (PA) |
| Primary Role | Technical infrastructure and data encryption. | Fund collection, pooling, and settlement. |
| Fund Handling | Does not handle or pool merchant funds. | Collects customer funds and settles them to merchants. |
| RBI Requirement | Recommended security standards. | Mandatory RBI Authorisation. |
| Integration | Direct integration with an acquiring bank. | Single integration for multiple payment modes. |
As a merchant, you cannot partner with a "pure" technical Payment Gateway to settle funds. You must partner with either an acquiring bank or an RBI-authorised Payment Aggregator.
Capital Requirements: Ensuring Your Payment Partner's Financial Stability
The RBI ensures that only financially robust entities handle merchant settlements. Non-bank Payment Aggregators must meet stringent net-worth criteria to stay operational. These rules ensure that your partner can absorb financial shocks without stopping your payouts.
- Initial Application Stage: A minimum net worth of ₹15 crore is required at the time of submitting the application to the RBI.
- Escalation Goal: The PA must increase its net worth to ₹25 crore by the end of the third financial year after receiving authorisation.
- Continuous Maintenance: This ₹25 crore level must be maintained at all times thereafter.
If a provider fails to meet these capital requirements, the RBI can revoke its license. This would force them to stop processing your transactions immediately.
Merchant Data Protection: Card Storage and Security Compliance
Protecting customer data is a legal necessity under the Digital Personal Data Protection (DPDP) Act and RBI mandates. The most critical rule for merchants is the prohibition of card storage.
The Card-on-File (CoF) Ban
The RBI prohibits merchants from storing actual credit or debit card numbers, CVVs, or expiry dates. This applies even if you are PCI DSS compliant. Only card issuers and card networks are permitted to store this data.
To provide a "Saved Card" experience for your customers, you must use Tokenisation. This replaces the 16-digit card number with a unique "Token." If your website is ever breached, these tokens are useless to hackers.
Security Pillars for 2026
- PCI DSS 4.0.1 Compliance: By 2026, all entities must follow the latest standards. This includes Multi-Factor Authentication (MFA) for any staff accessing payment environments.
- Encryption: You must use database-level encryption for any personal data. Disk-level encryption is no longer considered sufficient.
- Access Logs: Merchants must maintain logs of who accessed customer data. These logs should be reviewed daily to spot suspicious activity.
Critical Compliance Deadlines Merchants Cannot Miss
The year 2026 is a "bridge year" for Indian digital commerce. Several security transitions are moving from being "recommended" to "mandatory."
1. RBI Authentication & Tokenisation (April 1, 2026)
By this date, the entire payment ecosystem must strictly adhere to the latest Two-Factor Authentication (2FA) protocols. Merchants must ensure their checkout flows are fully compatible with risk-based authentication.
2. DPDP Act Consent Framework (November 13, 2026)
The Digital Personal Data Protection Board will activate the official consent manager framework. Merchants must be able to prove they have "clear and informed" consent to process a user's financial data. You must also be ready to report any data breach to the Board within 72 hours.
3. Non-Compliant Provider Wind-Down (February 2026)
The RBI has set a deadline for payment providers who failed to receive authorisation. Any provider without a valid license must wind down operations by early 2026. Merchants using these services must migrate to authorised partners immediately to avoid a total freeze on settlements.
2026 Merchant Compliance Calendar
| Date | Authority | Requirement |
| March 15, 2026 | Income Tax Dept | 100% Advance Tax payment due for FY 25-26. |
| April 1, 2026 | RBI | Mandatory 2FA and Tokenisation compliance. |
| April 1, 2026 | Govt of India | Commencement of the New Income Tax Act 2025 framework. |
| Nov 13, 2026 | DPB | Consent Manager Framework becomes operational (DPDP Act). |
Moving Forward with Regulatory Confidence
The RBI’s unified framework for payment aggregators is designed to build trust in the digital economy. While the rules may seem complex, they provide a safety net for your business. By verifying your partner’s net worth and ensuring you do not store prohibited card data, you insulate your company from regulatory fines and financial loss.
Do not wait for the February 2026 wind-down deadlines to take action. Audit your payment stack today. Ensure your partner is on the RBI’s authorised list. Compliance is not just a legal hurdle. It is the foundation of operational security for your digital future.
FAQs
1. Which payment gateways are approved by RBI?
RBI maintains an official list of authorised Payment Aggregators with Certificate of Authorisation at rbi.org.in. Merchants should verify that their payment partner appears on this list to ensure regulatory compliance and operational legitimacy.
2. What is the difference between a payment aggregator and a payment gateway?
Payment Aggregators handle merchant funds by collecting customer payments and settling with merchants, requiring RBI authorisation. Payment Gateways only route transactions without touching funds, making RBI authorisation recommended but not mandatory.
3. What is the minimum net worth requirement for RBI-approved payment aggregators?
₹15 crore at RBI application, increasing to ₹25 crore by the third financial year post-authorisation. This ensures merchants work with financially stable partners capable of fulfilling settlement obligations during operational stress.
4. Can my business store customer credit or debit card details on our website?
No. RBI prohibits merchants from storing card numbers, CVV, or expiry dates regardless of PCI DSS compliance. Merchants must use tokenisation services provided by payment aggregators or card networks for recurring payments.
5. Is PCI DSS compliance mandatory for merchants in India?
PCI DSS applies to all entities storing, processing, or transmitting cardholder data. Merchants must verify that their payment gateway is PCI DSS compliant. Merchants not storing card data have a reduced scope but must follow security best practices.
