Skip to main content
CERT-In Empanelled — Mandatory auditor credential for RBI PA-PG system audits

RBI Payment Aggregator and Payment Gateway (PA-PG) Audit

Annual system audit including cybersecurity audit by CERT-In empanelled auditors, mandated under the RBI 2025 PA Master Direction. Security Brigade delivers regulator-ready PA-PG compliance with technical depth that goes beyond checkbox audits.

Request a Scoping Call Our Methodology
PA + PG
Audit Coverage
RBI-Aligned
Methodology
370+
BFSI Engagements
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Assess

We map your payment aggregator or gateway operations against every RBI PA Master Direction requirement. This includes merchant onboarding controls, escrow and settlement flows, payment data handling, technology baseline, and cybersecurity posture. You receive a detailed gap assessment with risk ratings.

STEP 02

Remediate

Our team provides practical, implementation-ready remediation guidance for every identified gap. We work directly with your CTO, DevOps, compliance, and product teams to close findings. Lemon tracks every remediation item with owners, deadlines, evidence requirements, and closure status.

STEP 03

Certify

Once all gaps are closed and validated, we deliver the final PA-PG System Audit Report in the format required by RBI. This includes the cybersecurity audit report, control matrix, data-flow annexures, and board-ready summary. The report is ready for regulatory submission.

What Is the RBI PA-PG Audit?

The RBI PA-PG audit is an annual system audit mandated under the RBI 2025 PA Master Direction for all authorized Payment Aggregators in India. It must be conducted by a CERT-In empanelled auditor and covers merchant onboarding, escrow controls, payment data handling, cybersecurity posture, and technology baseline controls.

Who Needs an RBI PA-PG Audit?

Applicability, key requirements, and control areas covered under the PA Master Direction

Authorized Payment Aggregators

Entities holding RBI authorization to facilitate payment transactions between merchants and customers through pooling and settlement.

PA Applicants Seeking RBI Authorization

Organizations applying for PA license who must demonstrate compliance readiness as part of the authorization process.

Payment Gateway Providers

Technology infrastructure providers supporting payment aggregation flows, including merchant integration, transaction routing, and settlement systems.

Merchant Onboarding and KYC Controls

Review of merchant due diligence, KYC verification, risk categorization, ongoing monitoring, and de-boarding processes.

Escrow and Settlement Flow Controls

Validation of escrow account management, settlement timelines, fund segregation, reconciliation, and compliance with RBI settlement directions.

Payment Data Handling and Localization

Verification that all payment data including customer data, payment credentials, and transaction data is stored exclusively in India per RBI requirements.

Cybersecurity Audit Requirements

Dedicated cybersecurity audit covering vulnerability assessment, penetration testing, security configuration, incident response, and alignment with RBI cyber framework.

Baseline Technology Controls

Access control, encryption, key management, logging, monitoring, change management, backup, disaster recovery, and vendor management controls.

Governance and Board Reporting

Board and IT committee oversight, security audit reporting cadence, incident escalation, and management accountability for compliance posture.

Methodology

6 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Scoping and Regulatory Mapping

We begin by mapping your PA or PG operations against every requirement in the RBI PA Master Direction. This includes identifying systems in scope such as applications, APIs, infrastructure, databases, cloud environments, third-party integrations, payment flows, and data stores. Scope is documented and agreed before fieldwork begins.

02

Architecture and Data-Flow Review

We document your complete payment data flow from merchant integration through transaction processing, escrow management, settlement, refund, and dispute handling. This includes data localization verification ensuring payment data resides exclusively in India across production, backups, DR, logs, analytics, and third-party processors.

Testing
03

Control Assessment and Evidence Review

We validate each control area against the PA Master Direction requirements: merchant onboarding KYC, escrow controls, settlement flows, card and payment data handling, PCI-DSS/PA-DSS relevance, baseline technology controls, access management, encryption, key management, change management, backup, DR, and vendor controls. Evidence is collected and mapped in Lemon.

04

Cybersecurity Audit and VAPT

The dedicated cybersecurity audit component covers vulnerability assessment, penetration testing of payment applications and APIs, security configuration review, network segmentation validation, incident response readiness, and alignment with the RBI cyber security framework. Testing is executed through our B-52 audit engine for consistent coverage.

Delivery
05

Gap Assessment and Remediation Support

Every non-compliance and control gap is documented with risk rating, evidence expectation, and practical remediation guidance. We work with your CTO, engineering, security, and compliance teams to close gaps. Lemon tracks each item through to closure with validation evidence.

06

Report Delivery and Regulatory Submission

We deliver the final PA-PG System Audit Report including the cybersecurity audit report, control matrix, data-flow annexures, technical findings, and board-ready executive summary. The report is structured for RBI submission and includes the closure validation pack confirming all identified gaps have been addressed.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Top 5 Private Sector Bank · Engaged since 2019

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Lemon: Audit Workflow and Evidence Management

Every PA-PG audit control, evidence artifact, remediation ticket, and closure validation is managed through Lemon. Your compliance and engineering teams get a single dashboard showing audit progress, open items, ownership, and deadlines. No spreadsheets, no email threads, no evidence gaps.

B-52: AI-Powered Cybersecurity Testing

The cybersecurity audit component runs through B-52, our AI-powered audit engine. B-52 tests payment applications, APIs, merchant portals, admin interfaces, and infrastructure with 90-95 percent vulnerability coverage. Every finding is verified as exploitable before reporting, eliminating false positives.

ShadowMap: Continuous Attack Surface Monitoring

Post-audit, ShadowMap provides continuous monitoring of your payment infrastructure, exposed services, domains, leaked credentials, dark web exposure, and third-party risks. The audit gives you a point-in-time snapshot. ShadowMap ensures you stay compliant between annual audits.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

Merchant Onboarding and KYC Review
GRC and compliance consulting team valid
Escrow and Settlement Flow Validation
System audit team reviews escrow account
Payment Application and API Security
Application security team performs penet
Network and Infrastructure Assessment
Infrastructure security team conducts vu
Data Localization and Storage Verification
Audit team verifies payment data residen
Cybersecurity Audit and RBI Cyber Framework Alignment
Cybersecurity audit component validates
PCI-DSS Relevance and Card Data Handling
Where PAs handle card data, Security Bri
Board and IT Committee Governance Reporting
Executive summary and board-ready presen

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

Annual PA-PG System Audit Report

The primary regulator-submission document structured per RBI 2025 PA Master Direction format, covering scope, systems reviewed, audit period, methodology, observations, compliance status, and auditor conclusion.

Cybersecurity Audit Report

Dedicated cybersecurity audit report covering VAPT findings, security configuration review, incident response assessment, and alignment with RBI cybersecurity framework requirements.

Control Matrix with Evidence Mapping

Detailed control matrix mapping each RBI PA-PG requirement to evidence collected, compliance status, auditor observations, and management comments.

Data-Flow and Data-Localization Annexure

Complete documentation of payment data flows, storage locations, third-party processing, backup and DR data residency, and India-only storage verification evidence.

Gap Assessment with Risk-Ranked Remediation Tracker

Every identified non-compliance documented with risk rating, evidence expectation, remediation guidance, owner assignment, target closure date, and validation status tracked in Lemon.

VAPT and Application Security Testing Reports

Technical annexures covering vulnerability assessment, penetration testing, API security testing, and application security findings with proof-of-concept evidence and CVSS scores.

Closure Validation Report

Post-remediation validation report confirming all identified gaps have been closed with evidence. This is the clean compliance version ready for RBI submission with no open findings.

Board and IT Committee Summary Deck

Executive presentation summarizing audit findings, compliance posture, risk areas, remediation progress, and recommended governance actions for board and IT committee reporting.

Continuous Compliance with ShadowMap

The audit gives you a snapshot. ShadowMap gives you the always-on view.

An annual audit proves your posture at a single point in time. Between audits, attack surfaces drift, credentials leak, sub-domains get added, vendors get breached. ShadowMap watches the boundary continuously so the next audit isn't a surprise.

Attack Surface Area

Continuous discovery of internet-facing assets — sub-domains, APIs, cloud resources, open ports, SSL certificates, technology stack.

Audits are point-in-time. ShadowMap watches your boundary daily.

Explore on ShadowMap

Dark Web Intelligence

9.7B+ breach records indexed; monitors Telegram, paste sites, criminal forums, and ransomware leak sites for credentials, leaked data, and threat actor mentions.

Find leaked data before regulators do.

Explore on ShadowMap
See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is the RBI PA-PG audit and who needs it?+
The RBI PA-PG audit is an annual system audit mandated under the RBI 2025 PA Master Direction for all authorized Payment Aggregators in India. It must be conducted by a CERT-In empanelled auditor and covers merchant onboarding, escrow controls, payment data handling, cybersecurity posture, and technology baseline. Payment Aggregators holding or applying for RBI authorization and Payment Gateways supporting PA operations need this audit.
Is a CERT-In empanelled auditor mandatory for PA-PG audits?+
Yes. The RBI 2025 PA Master Direction specifically requires the annual system audit including cybersecurity audit to be conducted by CERT-In empanelled auditors. Audit reports from non-empanelled auditors will not be accepted by RBI. Security Brigade holds active CERT-In empanelment, making our audit reports eligible for regulatory submission.
How is the PA-PG audit different from the RBI cybersecurity framework audit?+
The PA-PG audit is a comprehensive system audit covering the full scope of Payment Aggregator operations including merchant onboarding, escrow management, settlement flows, payment data handling, and governance, in addition to cybersecurity controls. The RBI cybersecurity framework audit focuses specifically on cybersecurity posture and controls. The PA-PG audit includes a cybersecurity audit component but has a significantly broader scope covering operational and regulatory compliance.
How often must the PA-PG audit be conducted?+
The RBI PA Master Direction mandates an annual system audit including cybersecurity audit. This means Payment Aggregators must undergo the complete audit every year. Security Brigade recommends aligning the audit cycle with your financial year and board reporting calendar to ensure timely submission and governance oversight.
What happens if a Payment Aggregator fails the PA-PG audit?+
Failure to pass the PA-PG audit or non-compliance with the PA Master Direction can result in RBI enforcement actions including monetary penalties, directions to cease onboarding new merchants, restrictions on processing, or revocation of PA authorization. Additionally, acquiring bank partners and payment networks may require compliance evidence, making non-compliance a direct business risk.
Does the PA-PG audit cover data localization requirements?+
Yes. Data localization is a critical component of the PA-PG audit. RBI requires all payment data including customer data, payment-sensitive data, payment credentials, and transaction data to be stored exclusively in India. The audit verifies data residency across production systems, database replicas, logs, backups, disaster recovery environments, analytics stores, and third-party processors.
How long does a PA-PG audit take from start to report delivery?+
A typical PA-PG audit engagement takes 5 to 6 weeks from scoping through final report delivery. This includes regulatory mapping, architecture review, control assessment, VAPT execution, gap identification, remediation support, and closure validation. Timelines can vary based on the complexity of your payment operations and the number of systems in scope.
Is PCI-DSS compliance required as part of the PA-PG audit?+
The PA Master Direction references PCI-DSS and PA-DSS relevance for Payment Aggregators handling card data. If your PA processes, stores, or transmits cardholder data, PCI-DSS compliance becomes relevant within the PA-PG audit scope. Security Brigade assesses PCI-DSS relevance as part of the integrated audit and can provide separate PCI-DSS gap analysis and readiness consulting if required.
Can Security Brigade help with remediation or only the audit?+
Security Brigade provides end-to-end support including remediation guidance and closure validation. Unlike audit-only firms that hand you a findings report and walk away, we work directly with your engineering, DevOps, and compliance teams to close identified gaps. Every remediation item is tracked through Lemon with owners, deadlines, evidence requirements, and validation status.
What if we are a Payment Gateway and not a Payment Aggregator?+
Payment Gateways that provide technology infrastructure for payment aggregation are also within the scope of the PA Master Direction. While the primary authorization and audit obligations fall on Payment Aggregators, PGs supporting PA operations must demonstrate compliant technology controls, security posture, and data handling practices. Security Brigade audits both PAs and PGs under the same framework.

Ready to Get PA-PG Compliant?

Talk to our compliance team about your annual PA-PG system audit requirements

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call