RBI Payment Aggregator Audit
Pass the annual PA system audit and file your SAR with RBI.
PA Master Direction
Gap assessment against RBI's PA rules
Annual System Audit
Full PA system and cybersecurity audit
SAR to RBI
System Audit Report filed with RBI
CERT-In Auditors
Empanelled, RBI-recognised auditors
What it is
RBI's Payment Aggregator regime governs entities that collect and route digital payments on behalf of merchants. PAs must hold authorisation, ring-fence funds, meet data-security standards and undergo annual system and cybersecurity audits, producing a System Audit Report (SAR) for RBI.
Who must comply
Authorised online payment aggregators, with the 2025 Master Direction extending toward offline PAs. Pure gateways face baseline security expectations.
How IntelligenceX helps
Frequently Asked Questions
The System Audit Report is the RBI-mandated annual deliverable confirming a PA's systems, security and fund-handling meet RBI's PA Master Direction. It must be produced by a CERT-In empanelled auditor.
RBI requires PCI-DSS / PA-DSS and current encryption and tokenisation standards as part of the data-security baseline, and restricts card-data storage.
Annually. RBI expects authorised payment aggregators to undergo a system and cybersecurity audit each year by a CERT-In empanelled auditor and to submit the resulting System Audit Report. We plan it to align with your authorisation and reporting cycle.