RBI Guidelines for Payment Aggregators and Payment Gateways

Responsibility Of Merchant’s Security
The Open Web Application Security Project is an online community dedicated to the creation of free, open-source publications, documentation, tools, and technologies in the field of Web application security.
- Compliance of PCI-DSS & PA-DSS (as applicable) for Merchant’s Applications & Infrastructure
- Agreement with Merchant In-Regards to Security & Privacy of Customer Data
- Review of Periodic Security Assessment Reports & Risk Assessment Reports on Contract Renewal

Security, Fraud Prevention and Risk Management Framework
- Strong risk management system – Prevent fraud and ensure customer protection.
- Adequate information and data security infrastructure and systems for prevention and detection of frauds.
- Implementation of board approved information security policy.
- Implement baseline technology-related recommendations in Annexure 2.
- Mechanism for monitoring, handling and follow-up of cyber security incidents and breaches.
- Comply with data storage requirements as applicable to Payment System Operators (PSOs).
- System Audit Report, including cyber security audit conducted by CERT-In empanelled auditors.
Baseline Technology-related Recommendations
- Information Security Governance
- Data Security Standards
- Security Incident Reporting
- Comprehensive Security Assessment during Merchant Onboarding
- Cyber Security Audit and Reports: Quarterly Internal Audits, Annual External Audit Reports, Bi-Annual Vulnerability Assessment / Penetration Test (VAPT) reports, PCI-DSS including Attestation of Compliance (AOC) & PCI-DSS including Report of Compliance (ROC) compliance report
- Board Approved Information Security Policy
- Board Approved IT Governance Policy
- IT Steering Committee
- Enterprise Information Model
- Cyber Crisis Management Plan
- Enterprise Data Dictionary
- Risk Assessment
- Access to Application
- Competency of Staff
- Vendor Risk Management
- Maturity and Roadmap
- Cryptographic Requirement
- Forensic Readiness
- Data Sovereignty
- Data Security in Outsourcing
- Payment Application Security


Compliance Submissions
- Annual – IS Audit Report and Cyber Security Audit Report
- As Needed – Cyber Security Incident Reports
What is Application Security?
Effective Security Testing Safeguards your Applications from Cyber Threats & Vulnerabilities
RNR Application Security Testing helps you detect application vulnerabilities, provide full coverage for Web and Mobile application infrastructure and online services, and reduce risks to meet regulatory compliance requirements. Our Application Security Methodology extends beyond scanning software detection to identify and prioritize the most vulnerable aspects of your online application, as well as come up with practical Solutions.
Leave us massage