What extra compliances does a company need to undertake if it wishes to start a payment gateway service in India? Does it make a difference if the company is a foreign funded company itself?
Let us first get to know what a payment gateway is? A payment gateway is a merchant service provided by an e-commerce application service provider that authorizes credit card or direct payment processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. In simple words, it is a third party between merchants and customers that safely takes the money from customers and sends it to the merchant’s bank account. The term ‘merchant’ here refers to an entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
How does a payment gateway service work?
When a customer buys from an e-commerce site and makes payment through credit card, debit card or net banking, the site passes such details to Payment Gateway Company. If it is –
- Net banking – payment gateway firm engages directly with the customer’s bank to collect cash.
- Credit/debit card – payment gateway company hand over its verification to the banks it works with which then check it with Visa/MasterCard network. After the verification process, the card issuing bank charges the customer and pays to the payment gateway company.
If a company wishes to start a payment gateway service in India, then registration under Goods & Services Tax is mandatory since service is the core area of operation of payment gateways. Thus, a company needs to acquire Goods & Service Tax Registration Number. The second most important part is to comply with the PCI – DSS Compliance which is required for any payment gateway. PCI – DSS stands for Payment Card Industry Data Security Standard and applies to any organization regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
PCI – DSS contains a widely accepted set of rules and regulations intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against any fraud. Its aim is to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with the focus to improve payment account security throughout in processing the transactions.
Tools for assessing compliance with PCI – DSS
- Qualified Assessors – The Council manages programs that help to facilitate the assessment of compliance with PCI DSS by Qualified Security Assessor & Approved Scanning Vendor. QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of internet-facing environments of merchants and service providers.
- Self Assessment Questionnaire – It is a validation tool for eligible organizations who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC).
While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined their own specific requirements for compliance validation and reporting, such as provisions for performing self-assessments and when to engage a QSA.
If a company is a foreign-funded company itself, then the PCI – DSS compliance will be the same because the DSS globally applies to all entities that store, process or transmit cardholder data. PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. and in fact the global demand for PCI expertise is growing in countries like USA, Europe, China, Hong Kong, Japan etc.