India’s digital payments ecosystem is surging. With UPI alone processing 21.63 billion transactions monthly and accounting for 84.8% of all digital payments, the infrastructure powering online commerce has never been more critical – or more scrutinized. The regulatory environment has tightened considerably following the September 2025 RBI Master Directions for Payment Aggregators, establishing a new baseline that every merchant must meet before accepting a single rupee online.
Simultaneously, the payment card industry underwent its own seismic shift. PCI DSS v4.0.1 became fully enforceable on March 31, 2025, turning previously optional future-dated requirements into hard mandates. Client-side script monitoring, stronger authentication controls, and rigorous data handling protocols are no longer aspirational – they are table stakes. The compliance requirements to integrate payment gateway services in India have fundamentally changed.
The consequences of ignoring these changes are severe. Non-compliance can trigger integration rejection, frozen settlement funds, or penalties under the Prevention of Money Laundering Act (PMLA) and the Payment and Settlement Systems Act, 2007. Fines can reach up to ₹1 crore. In 2026, compliance is not about checking a box – it is about ensuring business continuity.
This guide covers the complete checklist: from the mandatory website policies and KYC documents that payment aggregators verify before activation, to the backend technical requirements around data localization, tokenization, and anti-fraud protocols that keep your merchant account active and your funds flowing.
Key takeaways
- Compliance Is Mandatory, Not Optional: To activate a payment gateway in 2026, merchants must verify corporate documentation (PAN, GST), publish specific website disclosures (Refund Policy, physical contact info), and strictly adhere to new PCI DSS v4.0.1 standards.
- Critical Regulatory Update: The 2025 RBI Master Directions enforce rigorous Merchant Due Diligence and 100% data localization, requiring that all foreign data copies be purged within 24 hours of transaction processing.
- Technical Security Shift: Under PCI DSS v4.0.1 (effective March 2025), merchants must implement client-side script monitoring to prevent digital skimming – a step up from previous server-side-only requirements.
- Risk of Non-Compliance: Failure to appoint a Nodal Officer or mismatched KYC details (e.g., legal name vs. bank name) will lead to immediate integration rejection, frozen funds, or deactivation under the PMLA and Payment & Settlement Systems Act.
Quick Checklist: Core Compliance Requirements You Can’t Skip
Before diving into the details, here is the high-level payment gateway integration checklist every Indian business needs. Think of these as the compliance requirements to integrate payment gateway services that no merchant can afford to overlook.
Compliance Readiness Checklist
| Requirement Category | Specific Action Items | Criticality |
| Corporate Documentation | Certificate of Incorporation, GST Registration Certificate, PAN Card (entity), Cancelled cheque or bank letter with matching legal name | Mandatory |
| Website Disclosures | Refund & Cancellation Policy (with timelines), Terms of Service, Privacy Policy (specifying data purposes), Physical contact address, phone number, and email | Mandatory |
| Technical Security | TLS 1.2 or higher on all pages, PCI DSS v4.0.1 compliance (SAQ or ROC as applicable), Client-side script inventory on payment pages | Mandatory |
| RBI Regulatory Adherence | PA-O guideline compliance, 100% data localization in India, Grievance/Nodal Officer appointment, Card-on-File tokenization (no raw card storage) | Mandatory |
| Recurring Payments | e-Mandate registration with AFA for transactions above ₹15,000, Pre-debit notification setup | Recommended (if applicable) |
| Enterprise Governance | System Audit Report (SAR), Vendor risk assessment (verify PA holds RBI CoA), SLA/uptime documentation | Recommended |
This checklist covers the essentials for online payment compliance India requires in 2026. For more detailed walkthroughs on each step, explore Razorpay’s payment gateway integration resources to map these requirements to your specific business type and integration model.
How Razorpay’s Payment Gateway Handles RBI and PCI Compliance for Merchants
Razorpay operates as a fully RBI-authorised Payment Aggregator and holds PCI DSS Level 1 certification – the highest compliance tier in the industry – which means merchants processing payments through Razorpay are automatically within a compliant infrastructure without needing to pursue their own certification. Built-in tokenisation replaces raw card data at the point of collection, and automated merchant KYC addresses the onboarding compliance requirements under the RBI’s 2025 Payment Aggregator directions. For businesses navigating the overlapping demands of PCI DSS, RBI guidelines, and India’s DPDP Act, having these handled at the platform level significantly reduces the compliance surface area that internal teams need to manage directly.
Did You Know?
The average cost of a data breach in the financial services sector is approximately $5.97 million, according to industry data. PCI DSS non-compliance fines start at $5,000–$10,000 per month and can escalate to $100,000 per month after six months – on top of breach-related costs. In India, non-compliance with the RBI’s 2025 Payment Aggregator guidelines can additionally trigger penalties of up to ₹1 crore under the Payment and Settlement Systems Act, 2007.
What You Need to Disclose on Your Website (and Where)
Many merchants underestimate this requirement, but it is often the first gate. Payment aggregators are legally required to verify specific disclosures on your live website before activating your merchant ID. Missing even one element can result in immediate verification rejection – no matter how solid your backend infrastructure is.
Here is exactly what website compliance for payment gateway activation demands:
Identity and Contact Information
- Display your legal entity name (as registered, not just a brand name)
- Publish a physical address – a PO Box will not suffice
- Provide active customer support channels: a working email address and phone number with business hours
- These details should appear on a dedicated “Contact Us” page and ideally in the website footer
Policy Transparency
- Terms and Conditions must be accessible from the checkout page, not buried three clicks deep
- Privacy Policy must clearly specify what data you collect, why you collect it, and how it is used – this is an ecommerce privacy policy mandatory requirement under India’s evolving data protection framework
- Both policies should be linked in the footer of every page
Refund and Cancellation Logic
- Policies must state clear timelines (e.g., “refunds processed within 5-7 business days”) and specific conditions for returns
- These refund policy requirements India mandates are aligned with the Consumer Protection (E-Commerce) Rules, 2020
- Vague language like “refunds at seller’s discretion” without defined timelines will trigger rejection
Product and Service Clarity
- All products or services must have clear descriptions, visible pricing, and currency displayed in INR
- Hidden fees or misleading descriptions can flag your site for “misleading advertisement” violations, stalling your integration indefinitely
Why You’re Now Required to Have a Grievance Redressal System
This is one of the most frequently missed compliance requirements to integrate payment gateway services – and one of the fastest ways to get your activation blocked.
Under the Consumer Protection (E-Commerce) Rules and updated RBI guidelines, every merchant accepting online payments must appoint a Nodal Officer or Grievance Officer. This is not optional. The officer’s full name, designation, email address, and phone number must be published prominently on your website, typically on a dedicated “Grievance Redressal” page or within your Contact Us section.
The mandated timeline is strict: you must acknowledge every customer complaint within 48 hours and resolve it within one month. Failure to comply risks not only integration rejection but also penalties under consumer protection law and RBI’s payment aggregator framework. If you do not have a grievance officer listed on your site today, fix it before applying.
PCI DSS v4.0.1 and Other Technical Security Requirements
PCI DSS – the Payment Card Industry Data Security Standard – is the global framework that governs how businesses handle, store, and transmit cardholder data. If you accept card payments, compliance is non-negotiable. But the landscape shifted dramatically when PCI DSS v4.0.1 requirements became fully mandatory on March 31, 2025.
What Changed with v4.0.1
The most significant update is the new emphasis on client-side security. Under Requirements 6.4.3 and 11.6.1, merchants must now manage, authorize, and monitor all scripts running on their payment pages. This directly targets digital skimming attacks – commonly known as Magecart attacks – where malicious JavaScript intercepts card data in the customer’s browser.
Previously, PCI compliance focused primarily on server-side protections. Now, merchants must maintain a complete inventory of every script loaded on payment pages, justify each script’s presence, implement integrity monitoring to detect unauthorized changes, and use mechanisms like Content Security Policy (CSP) headers and Subresource Integrity (SRI) to enforce script governance. This client-side script monitoring payment pages requirement is a fundamental shift in how PCI scope is understood.
PCI DSS v3.2.1 vs. v4.0.1 – Key Differences
| Area | v3.2.1 (Legacy) | v4.0.1 (Current Mandate) |
| Script Security | Server-side focus only | Client-side script inventory, authorization, and monitoring required |
| Authentication | Basic MFA for admin access | Stronger MFA across all access to cardholder data environments |
| Risk Assessment | Annual assessment | Targeted risk analysis for each flexible requirement |
| Encryption | TLS 1.1 acceptable in some cases | TLS 1.2 or higher mandatory for all data transmission |
| Monitoring | Periodic log review | Automated, real-time detection of security-impacting changes |
SAQ vs. ROC: Know Your Compliance Level
Your validation method depends on your integration model. SAQ (Self-Assessment Questionnaire) applies to most merchants. If you use a hosted checkout like Razorpay’s, you likely qualify for SAQ A – the lightest assessment. Self-hosted or API-based integrations may require SAQ A-EP or SAQ D, with significantly deeper security requirements. Large enterprises or those processing millions of transactions annually will need a full ROC (Report on Compliance) conducted by a Qualified Security Assessor.
Explore Razorpay’s Payment Solutions
RBI Regulatory Mandates for 2026
The September 2025 RBI Master Directions for Payment Aggregators represent the most comprehensive regulatory overhaul India’s digital payments sector has seen. These RBI payment aggregator guidelines 2025 set the rules for both PA-O (online) and PA-P (physical) aggregators and, by extension, define what every merchant must comply with during onboarding and ongoing operations. Understanding these digital payment regulations 2026 is essential for any business planning to accept payments online.
Merchant Due Diligence and Onboarding
Under the updated framework, payment aggregators must now perform stricter Merchant Due Diligence (MDD) before onboarding any business. For merchants, this means your documentation must be airtight.
The single most important rule: your bank account name, PAN name, and GST legal name must match exactly. Even minor discrepancies – an ampersand versus “and,” a missing middle initial – are the number one cause of integration delays and rejections.
Documents required by entity type:
Sole Proprietorship:
- PAN card of the proprietor
- GST registration certificate
- Business address proof (utility bill, rent agreement)
- Cancelled cheque or bank statement with matching name
- Aadhaar or Passport of the proprietor
Private Limited Company:
- Certificate of Incorporation
- PAN card of the company
- GST registration certificate
- MOA and AOA
- Board resolution authorizing the signatory
- Cancelled cheque of the current account
For streamlined verification processes, explore Razorpay’s merchant onboarding documentation resources.
Data Localization and the 24-Hour Purge Rule
The RBI mandate on payment data localization 24 hours is unambiguous: all end-to-end transaction data must be stored exclusively on servers located within India. This includes card numbers, transaction logs, authentication data, and settlement records.
If any part of the transaction chain processes data through servers located outside India – common with global cloud providers – that foreign copy must be purged within 24 hours. There are no exceptions for backup copies or disaster recovery replicas stored abroad. Merchants using international cloud infrastructure must configure region-locked storage or work with their gateway provider to ensure full compliance. Violations are monitored through RBI’s periodic system audits and can result in immediate service suspension.
Data Localization Flow: Transaction originates in India → Processed (may temporarily touch foreign servers) → Stored permanently in India only → Any offshore copies deleted within 24 hours.
Tokenization and Card Storage Rules
Under the RBI’s Card-on-File (CoF) tokenization guidelines, merchants are strictly prohibited from storing raw card numbers on their own servers. This rule applies regardless of customer consent. No exceptions.
If your business offers a “saved cards” feature for faster checkout, you must use tokenization APIs provided by your payment gateway or card network. Tokenization replaces the actual card number with a unique, non-reversible token that is useless if intercepted. Razorpay and other authorized gateways provide compliant tokenization solutions that maintain the saved-card experience for customers without exposing your business to regulatory or security risk.
Storing PANs, CVVs, or expiry dates on merchant servers – even encrypted – is a direct violation that triggers MID deactivation and potential PMLA proceedings.
Did You Know?
UPI alone processed 21.63 billion transactions in December 2025, accounting for 84.8% of all retail digital payments in India – making India’s payments ecosystem one of the most active and scrutinized in the world. With this scale comes proportionally heightened regulatory oversight: the RBI’s 2025 Master Directions for Payment Aggregators establish some of the strictest data localization, tokenization, and merchant due diligence requirements of any major economy, reflecting India’s commitment to securing the world’s highest-volume real-time payment infrastructure.
Recurring Payments and e-Mandate
For businesses using subscription or recurring billing models, the RBI’s e-Mandate framework adds another compliance layer. Additional Factor of Authentication (AFA) is required for setting up any recurring mandate. For recurring debits exceeding ₹15,000 (or the current applicable limit), AFA must be performed for each transaction.
Merchants must also send pre-debit notifications to customers at least 24 hours before each scheduled debit, giving them the option to pause or cancel. Non-compliance with these e-Mandate rules is a fast path to payment failures and customer disputes.
Enterprise Governance: Audits and SLAs
For mid-market and enterprise businesses, the compliance requirements to integrate payment gateway services extend beyond documentation and website policies into operational governance.
System Audit Reports (SAR)
If your infrastructure interacts directly with payment flows – handling callbacks, processing webhooks, or touching transaction data – you may need a System Audit Report. This independent assessment evaluates your security controls, data handling practices, and compliance posture. While not mandatory for every merchant, PAs increasingly request SARs from businesses with deeper integrations.
Vendor Risk Management
Compliance is a two-way street. Enterprises must verify that their payment gateway provider holds a valid Certificate of Authorization (CoA) from the RBI. Operating with an unauthorized PA puts your business at direct regulatory risk. Ask your provider to share their CoA and confirm their latest PCI DSS Level 1 certification.
Key questions to ask your payment partner:
- Do you hold a current RBI Certificate of Authorization as a PA-O?
- What is your PCI DSS compliance level and last audit date?
- What are your uptime SLAs, and what compensation applies for downtime?
- How do you handle data localization and where are your primary data centers?
- What dispute management and chargeback tools do you provide?
SLA and Uptime Commitments
Compliance also involves ensuring your provider meets reliability standards. With leading gateways offering 95%+ transaction success rates, prolonged downtime or chronic failures create denial-of-service risks that affect both revenue and regulatory standing.
Anti-Money Laundering (AML) for Marketplaces
If you operate a marketplace model, you carry additional compliance obligations. Marketplace operators must perform sub-merchant KYC, monitor for suspicious transaction patterns, and ensure settlement controls align with RBI’s AML framework. This marketplace settlement compliance requirement is separate from your own merchant-level obligations.
Stay updated on evolving requirements through Razorpay’s RBI compliance updates.
How Razorpay Automates 2026 Compliance
Meeting every compliance requirement manually is resource-intensive and error-prone. Razorpay is designed to absorb the compliance burden so businesses can focus on growth rather than regulatory paperwork.
RBI-Authorized Payment Aggregator
Razorpay holds full authorization from the RBI as a PA-O, meaning every merchant onboarded through Razorpay operates within a regulated, audited framework from day one.
Automated Onboarding and KYC
Razorpay’s dashboard automates the document verification and KYC process. Automated KYC payment gateway tools flag name mismatches, missing documents, and formatting errors before submission – eliminating the most common causes of integration delays.
PCI DSS Level 1 Certified
As a Razorpay PCI DSS Level 1 certified provider, Razorpay handles the security infrastructure so merchants using hosted checkout do not need to build or maintain their own secure card data vaults. Your PCI scope is minimized to SAQ A in most cases.
Built-In Tokenization
Razorpay’s tokenization solutions provide a compliant “saved cards” experience out of the box. Customers enjoy one-click checkout while your business stays fully aligned with RBI’s CoF rules – zero raw card data touches your servers.
Dispute and Grievance Management
Razorpay compliance features include automated chargeback handling, evidence submission workflows, and grievance tracking tools that align with RBI’s mandated resolution timelines. With a 40% rise in e-commerce fraud reported in 2025, these tools are not optional – they are operational necessities.
Ready to streamline your payments?
Scale your business with a gateway that supports 100+ payment methods, including UPI, Credit Cards, and Netbanking. Transition to a reliable infrastructure designed to improve transaction success rates and automate your daily reconciliation.
Conclusion
The compliance requirements to integrate payment gateway services in 2026 operate on two levels: the visible layer – website disclosures, contact details, and policy pages that customers and aggregators can see – and the invisible layer – data localization, tokenization, PCI controls, and regulatory adherence that protect the entire transaction chain.
The 2025 RBI Master Directions and PCI DSS v4.0.1 have established the new baselines. These are not temporary guidelines awaiting relaxation. They are the permanent foundation for secure payment processing India demands from every participating business.
Smart businesses treat compliance not as a hurdle but as a trust signal. Customers transact more confidently with merchants who visibly prioritize security and transparency. The 25% conversion uplift that compliant, seamless checkouts deliver is a measurable business advantage.
Choose a partner that stays ahead of regulatory shifts. With RBI authorization, PCI Level 1 certification, and automated compliance tools, Razorpay ensures your payment integration is not just live – it is future-proof.
FAQs
1. Do I need to be PCI compliant if I use a compliant payment gateway like Razorpay?
Yes, utilizing a PCI-compliant gateway significantly reduces your compliance scope but does not eliminate the requirement entirely. Most merchants must still complete a Self-Assessment Questionnaire (SAQ) to validate their internal data handling practices and confirm that no card data is stored on their servers.
2. What are the specific penalties for non-compliance with the RBI’s 2025 Payment Aggregator guidelines?
Non-compliance can result in immediate deactivation of your merchant ID (MID), freezing of settlement funds, and penalties under the Payment and Settlement Systems Act, 2007, reaching up to ₹1 crore. Additionally, failure to appoint a Nodal Officer violates the Consumer Protection (E-Commerce) Rules.
3. Does the RBI data localization rule apply if I use cloud servers located outside India?
Yes, the RBI mandates that all end-to-end transaction data must be stored exclusively in India. If your cloud infrastructure processes data abroad, that data must be deleted from foreign systems within 24 hours to remain compliant.
4. Can I store customer card details for faster checkout if they give consent?
No. Under the RBI’s Card-on-File Tokenization guidelines, merchants are strictly prohibited from storing raw card numbers on their servers, regardless of customer consent. You must use approved tokenization APIs provided by your payment gateway or card network.
5. What are the mandatory website disclosures required for payment gateway verification?
You must prominently display your Terms and Conditions, a Privacy Policy specifying data usage, a Refund and Cancellation Policy with clear timelines (e.g., 5-7 business days), and physical contact details including a working phone number, email address, and registered address.
