• Apply for Authorisation: Non-bank PAs must apply for a Certificate of Authorisation (CoA) via RBI’s Pravaah portal. Entities already in PA-P (Payment Processing) must apply by 31 December 2025 or wind up by 28 February 2026.
• Net Worth Compliance: Maintain at least ₹15 crore at the time of application, rising to ₹25 crore within three years of authorisation.
• Business Objects: The Memorandum of Association (MoA) must specifically permit PA activities.

2. Governance & Fit and Proper Criteria 

• Ensure promoters, directors, and key management satisfy RBI’s fit and proper norms (integrity, financial soundness, reputation). 
• Any takeover, control change, or expansion into another PA category (PA-CB or PA-O) requires RBI intimation or prior approval.

• Conduct robust KYC checks for every merchant, leveraging CKYCR where possible. 
• Perform background checks, business verification, and transaction monitoring aligned with the merchant’s profile. 
• Perform background checks, business verification, and transaction monitoring aligned with the merchant’s profile. 

4. Escrow & Settlement Obligations

• Maintain dedicated escrow accounts for merchant funds with scheduled commercial banks. 
• For cross-border PAs, set up Inward Collection Accounts (InCA) and Outward Collection Accounts (OCA) as applicable. 
• Settlement timelines, permitted debits/credits, and core portion rules must be transparently reflected in PA–merchant agreements. 

5. Technology & Security Standards 

• Adopt a Board-approved Information Security Policy covering governance, cyber resilience, and incident response.
• Comply with baseline controls like PCI-DSS, PCI-SSF, encryption standards. 
• Conduct regular audits and VAPT assessments; submit reports to RBI when required. 
• Report security incidents promptly to RBI.

6. Customer & Merchant Protection 

• Implement a clear dispute resolution mechanism covering refunds, chargebacks, and failed transactions.
• PA–merchant agreements must define roles and responsibilities for refunds, settlements, and reconciliation. 
• Display grievance redressal details and escalation matrices publicly.

7. Reporting & Audit 

• Quarterly Reports: Auditor’s and bank’s certificates on escrow accounts, transaction statistics.
• Annual Reports: Net worth certifications, information security audits, corrective action reports. 
• Event-Based Reporting: Disclosure of board changes, control changes, or major security incidents. 

8. Internal Policies & Training 

• Update merchant contracts and policies (settlement, refunds, data protection).
• Train internal teams for compliance, onboarding, operations on new requirements
• Communicate key changes to merchants to ensure smoother adoption.