Crossbow Labs

Crossbow Labs Logo


RBI SAR Assessment and Reporting based on Guidelines on Regulation of Payment Aggregators and Payment Gateways popularly known as RBI SAR for PA & PG.

CBL is a CERT-In empanelled auditor with 300+ customers in the Fintech industry.

Payment Aggregators (PAs) and Payment Gateways (PGs) are intermediaries that play an important function in facilitating payments in the online space. Entities may be a source of risk in such a technology and customer experience-intensive business if they have inadequate governance practices which may impact customer confidence and experience.

The Reserve Bank of India (RBI) has tightened its supervision norms over payments companies storing and processing customer data. RBI’s department of payment and settlement systems (DPSS) has issued a circular (Ref: RBI Circular – DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020, Annexure 2) to Indian PSOs (Payment Systems Operators) to submit a board-approved system audit report (SAR) by CERT-empanelled auditors by 31st May of every year.

Entities Covered

Indian PSO’s operating as a Payment Aggregator (PA) or Payment Gateway (PG) will come under the purview of this assessment. 

“PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.” 

“PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.” 

RBI Circular – DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020  

RBI PA & PG - Assessment Services

System Audit Report (SAR)

IS Audit Report and Cyber Security Audit Report with observations noted, if any, including corrective / preventive action planned with closure date.


Cyber Security Audit Report

Internal audit and reporting is required to be done. This can be initiated well in advance and is required to be done on a quarterly basis.  

Cyber Security Incident reports

A due diligence process for incident management is required to be done, with root cause analysis and preventive action undertaken

Bespoke Advisory Solutions

Customised solutions based on the size of your organization. Our vast experience in cybersecurity consulting will help achieve your compliance with the RBI issued circulars.

Assessor Experience

As a CERT-In empanelled auditor, CBL is qualified to assess, consult, and issue RBI SAR reports for eligible entities.

CBL has extensive experience in the fintech space providing consulting, testing, and monitoring services to 300+ organizations in this space.

As an assessor for various compliance programs, CBL has a deep understanding of the process and security controls in PA and PG environments.

Compliance Management

We built a compliance management tool to ensure managing a compliance standards as detailed as the PCI-DSS and ISO 27001. The RBI Circulars are also built into our compliance tool which will help you organise your compliance management and maintenance over the entire compliance year.

RBI PA-PG Turnkey Services

Crossbow Labs can work with organisations from the inception of the processes to the implementation and maintenance of the controls, including periodic internal audits and compliance management services.

Approach - RBI Circulars

Objectives - Assessments - Consulting - RBI Reporting

The Reserve Bank of India has defined the processes which are required to be followed by CERT-IN empanelled auditors like Crossbow Labs. 

1. Foot Printing

Understand the business and compliance objectives of the service provider. In this phase, we prepare and agree upon a project timeline to conduct process walkthroughs and to perform the relevant assessments.

2. Initial Assessment

Understand Entity Level Controls - Assess the implementation of entity-level controls w.r.t Information security Implementation, roles and responsibilities, Risk Assessment, and Risk Mitigation programs. Perform Test of Design - Assessment of the IT systems and processes implemented vis-a-vis information security risks and operational risks.

3. Final Assessment

Perform Test of Operating Effectiveness: We perform sample-based testing of the controls implemented over a period of time.

4. RBI Compliant Reporting

The report will consist of the scope of work, nature of assessments performed, all the domains audited, the observations noted during the audit, the impact of the observations, and CBL recommendations for remediation.

RBI AUDITS Maintenance & Monitoring


As per RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, the cyber security audit needs to be performed by a CERT-In empanelled auditor.

Indian PSOs (Payment System Operators) operating as a Payment Aggregator (PA) or Payment Gateway (PG) will come under the purview of this assessment. 

Annual audit to be conducted and System Audit Reports (SAR) to be submitted to the respective Regional Office of DPSS, RBI, within two months of the close of their financial year

Yes, the RBI Circular on “System Audit of Payment Systems operated under the PSS Act” (Reference” DPSS.CO.OD.No. 1325/06.11.001/2019-20 dt: Jan 10, 2020) also needs to be considered for assessment. 

All domains under an Information Security Management System need to be covered under the cyber security audit by CERT-In empanelled auditor. Baseline Technology-related Recommendations mentioned in RBI guidelines are listed below. For more details please refer to Annexure 2 in RBI Circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020)

  1. Information Security Governance:
  2. Data Security Standards (PCI DSS, ISO 27001, etc. as applicable) 
  3. Security Incident Reporting
  4. Merchant Onboarding
  5. Cyber Security Audit and Reports
  6. Information Security
  7. IT Governance
  8. Enterprise Data Dictionary
  9. Risk Assessment
  10. Access to Application
  11. Competency of Staff
  12. Vendor Risk Management
  13. Maturity and Roadmap
  14. Cryptographic Requirement
  15. Forensic Readiness
  16. Data Sovereignty:
  17. Data Security in Outsourcing
  18. Payment Application Security



Talk With an Expert

Learn more about how crossbow labs can help protect your business. Contact us today.