RBI - PA & PG
RBI SAR Assessment and Reporting based on Guidelines on Regulation of Payment Aggregators and Payment Gateways popularly known as RBI SAR for PA & PG.
CBL is a CERT-In empanelled auditor with 300+ customers in the Fintech industry.
Payment Aggregators (PAs) and Payment Gateways (PGs) are intermediaries that play an important function in facilitating payments in the online space. Entities may be a source of risk in such a technology and customer experience-intensive business if they have inadequate governance practices which may impact customer confidence and experience.
The Reserve Bank of India (RBI) has tightened its supervision norms over payments companies storing and processing customer data. RBI’s department of payment and settlement systems (DPSS) has issued a circular (Ref: RBI Circular – DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020, Annexure 2) to Indian PSOs (Payment Systems Operators) to submit a board-approved system audit report (SAR) by CERT-empanelled auditors by 31st May of every year.
Indian PSO’s operating as a Payment Aggregator (PA) or Payment Gateway (PG) will come under the purview of this assessment.
“PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.”
“PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.”
RBI Circular – DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020
RBI PA & PG - Assessment Services
IS Audit Report and Cyber Security Audit Report with observations noted, if any, including corrective / preventive action planned with closure date.
Internal audit and reporting is required to be done. This can be initiated well in advance and is required to be done on a quarterly basis.
A due diligence process for incident management is required to be done, with root cause analysis and preventive action undertaken
Bespoke Advisory Solutions
Customised solutions based on the size of your organization. Our vast experience in cybersecurity consulting will help achieve your compliance with the RBI issued circulars.
As a CERT-In empanelled auditor, CBL is qualified to assess, consult, and issue RBI SAR reports for eligible entities.
CBL has extensive experience in the fintech space providing consulting, testing, and monitoring services to 300+ organizations in this space.
As an assessor for various compliance programs, CBL has a deep understanding of the process and security controls in PA and PG environments.
We built a compliance management tool to ensure managing a compliance standards as detailed as the PCI-DSS and ISO 27001. The RBI Circulars are also built into our compliance tool which will help you organise your compliance management and maintenance over the entire compliance year.
RBI PA-PG Turnkey Services
Crossbow Labs can work with organisations from the inception of the processes to the implementation and maintenance of the controls, including periodic internal audits and compliance management services.
Approach - RBI Circulars
The Reserve Bank of India has defined the processes which are required to be followed by CERT-IN empanelled auditors like Crossbow Labs.
RBI AUDITS Maintenance & Monitoring
RBI PA-PG FAQ's
As per RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, the cyber security audit needs to be performed by a CERT-In empanelled auditor.
Indian PSOs (Payment System Operators) operating as a Payment Aggregator (PA) or Payment Gateway (PG) will come under the purview of this assessment.
Annual audit to be conducted and System Audit Reports (SAR) to be submitted to the respective Regional Office of DPSS, RBI, within two months of the close of their financial year
Yes, the RBI Circular on “System Audit of Payment Systems operated under the PSS Act” (Reference” DPSS.CO.OD.No. 1325/06.11.001/2019-20 dt: Jan 10, 2020) also needs to be considered for assessment.
All domains under an Information Security Management System need to be covered under the cyber security audit by CERT-In empanelled auditor. Baseline Technology-related Recommendations mentioned in RBI guidelines are listed below. For more details please refer to Annexure 2 in RBI Circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020)
- Information Security Governance:
- Data Security Standards (PCI DSS, ISO 27001, etc. as applicable)
- Security Incident Reporting
- Merchant Onboarding
- Cyber Security Audit and Reports
- Information Security
- IT Governance
- Enterprise Data Dictionary
- Risk Assessment
- Access to Application
- Competency of Staff
- Vendor Risk Management
- Maturity and Roadmap
- Cryptographic Requirement
- Forensic Readiness
- Data Sovereignty:
- Data Security in Outsourcing
- Payment Application Security