A payment gateway is a financial service that reads payment cards (like debit card, credit card, net-banking and payment through your e-wallet, etc.), payment gateways refer to software and servers that transfer transaction info to acquiring banks and responses from issuing banks. Essentially, payment gateways facilitate communication within banks.
A payment gateway performs as an intermediary between the payment receivers and facilitates the transaction via the customer's bank account. Such a facility collects the information from the buyer's bank and supplies this information to the receiving bank.

How to get a Payment Gateway License in India?

Security is an essential component of all payment gateways, as sensitive information such as credit/debit card numbers need to be secured from any fraudulent possibilities. The card associations have formed a set of guidelines and security standards, which must be followed by the payment gateway providers. This set of instructions and security standards is recognized by the name of Payment Card Industry Data Security Standard (PCI-DSS or PCI).

PCI Audit and Final Certification Activity

• PCI DSS Scoping & Gap Assessment
• PCI DSS Formal Risk Assessment
• PCI DSS Policy & Procedure Review, Template sharing
• PCI DSS Final Audit & Certification
• PCI DSS Final Certificate Report Attestation & Issuance (ROC, AOC, COC)
• Application Security Testing/VAPT for 2 applications Web, Android & iOS
• Application Secure Code Review for 2 applications Web, Android & iOS
• ASV Scan for up to 5 IP’s (Pre-certification)
• Internal VA for up to 10 IP’s (Pre-certification)
• External Penetration Test for 5 IP’s(Pre-certification)
• Internal Penetration Test for 10 IP’s (pre-certification)

Infrastructure Setup

• OS Hardening
• DB Hardening
• Patches Update
• DMZ and Internal Zone
• Centralized Antivirus Server
• NTP Server
• FIM Server
• MFA Server
• VPN Setup
• Firewall Rules

Network Architecture Diagram Documentation

• Firewall Configuration Policy
• DMZ & Internal
• Asset Inventory Detail
• Antivirus Policy
• Patch Management Policy
• Change Control Policy
• DB Access Policy
• Physical Security Policy
• Security Logs and Events Policy
• Backup Policy
• Data Retention and Disposal Policy
• Data Control and Access Control Policy
• Password Policy
• PCI DSS Awareness Training Policy

A payment gateway executes a significant role in processing and allows the payment or transactions between customers and merchants.

A payment gateway encodes sensitive details of payment such as credit/debit cards number. A payment gateway technology shall ensure the information is passed securely between customers and merchants. Below are the basic steps on how it works:

• Step1:  A buyer will book an order on the website by submitting the order, checkout from the cart, etc.
• Step2:  Merchant initiates the transfer order information to the payment gateway and chooses their preferred payment method. The transaction is then directed to the issuing bank or the 3D secure page to request transaction authentication.
• Step3:  Once the authentication process is successful, the transaction is then approved or declined (subject to funds available in the customer’s account) by the issuing bank or card (MAESTRO, VISA, MASTER, American Express)
• Step4:  The payment gateway facility sends a message to the merchant accordingly.
• Step5:  Post verification bank settles the money to the merchant.

To obtain the payment wallet license, an entity shall be registered under the Companies Act, 1956 or the Companies Act, 2013

• Proof of position of the business
• Detailed business plan along with review model
• A minimum of two members or directors
• PAN and Current Account of the company
• Testing Report by Software certifying agency  describing System Flow and Code
• Compliance with PCI DSS