For any e-commerce setup (website, app, marketplace seller, subscription SaaS), the payment layer is the most regulated and security-sensitive component. In India, payments usually involve:
Payment Gateway (PG): the technical rails that connect your checkout to payment networks (cards, netbanking, UPI, wallets).
Payment Aggregator (PA): the regulated entity that onboards merchants, manages collections, settlement, risk monitoring, dispute handling, and compliance.
This Knowledge Base article covers:
Payment gateway/aggregator companies operating in India
How they typically operate and what registrations/norms apply (RBI + card security)
How to procure/select a gateway “on what grounds”
How to “claim” payment gateway expenses (commonly GST ITC + audit-ready documentation)
Step-by-step implementation with practical examples and code
Note: This is a technical + compliance guide (not legal advice). Confirm final tax treatment (especially cross-border) with your CA/tax advisor.
Razorpay
PayU
Cashfree
CCAvenue (Infibeam Avenues)
BillDesk (IndiaIdeas)
Paytm Payments Gateway
PayPal (cross-border context)
Stripe India
Pine Labs (Plural)
Instamojo
MobiKwik
Juspay (often used as an orchestration layer with multiple PSP/PA rails)
A market landscape list including many of the above is published by industry research sources.
Some providers publicly display “RBI authorised” status for specific authorisations (example: Cashfree lists RBI authorisation numbers for PA/cross-border).
RBI also publishes its own reference to the PA/PG guidelines and related notifications.
RBI issued Guidelines on Regulation of Payment Aggregators and Payment Gateways (dated March 17, 2020).
Practical takeaway for merchants (you):
Your provider may be a regulated PA (merchant onboarding + settlement) and may also provide the “gateway” tech.
You should verify whether your provider is operating under the RBI framework (directly or via a regulated partner).
UPI is operated by NPCI, which defines roles, responsibilities, and participation requirements for PSPs/TPAPs, including dispute handling and operational standards.
If your e-commerce accepts card payments, PCI DSS is the baseline security standard for environments that store/process/transmit card data.
Important implementation rule:
Use hosted checkout / redirect / tokenization so your servers never touch cardholder data; this typically reduces your PCI scope (e.g., PCI eCommerce guidance discusses outsourced implementations such as SAQ A scenarios).
Payment providers generally operate through:
Indian incorporated entity (Pvt Ltd/LLP) issuing GST invoices
Indian reseller/partner issuing GST invoices (less common for core gateways; more common for tooling bundles)
Cross-border contracting entity for international acceptance/export flows (requires extra tax/compliance attention)
Legal name of billing entity and contract entity match
GSTIN (if India invoicing) is valid and belongs to the entity
RBI authorisation/operating compliance claims are verifiable (where applicable)
Support and escalation contacts are documented
Signed agreement includes: settlement timelines, chargeback/dispute policy, termination, data retention
Typical KYC/KYB requirements include:
Entity documents: COI/LLP deed/shop establishment (as applicable), PAN, GSTIN
Bank account proof (cancelled cheque)
Director/partner KYC
Website/app details and business model description
Refund/return policy and customer support details
RBI PA/PG guidelines place strong emphasis on merchant onboarding, monitoring, and risk controls by PAs.
Settlement T+1/T+2 (varies by mode/provider)
Refund processing workflow (full/partial, to source)
Chargeback/dispute workflow (cards) and UPI dispute process
Webhook support (payment success/failure/refund/chargeback)
Idempotency and duplicate payment handling
Strong reconciliation exports (CSV/API), order-to-payment mapping
UPI intent/collect flows, recurring mandates (if subscription)
Use these grounds for approvals, audits, and rational vendor selection:
Payment mode coverage: UPI, cards, netbanking, wallets, EMI, international (if required)
Reliability: uptime, low payment failures, retry logic support
Faster settlement and clear reconciliation to reduce finance workload
Provider’s adherence to RBI PA/PG framework (as applicable)
PCI DSS-aligned approach via hosted checkout/tokenization (reduced card-data exposure)
Dispute/chargeback process maturity and documented SLAs
Clean APIs, SDKs, plugins (Shopify/WooCommerce/Magento/custom)
Webhook signature verification support
Fraud controls (velocity checks, device fingerprinting, rules)
Transparent fee model (MDR/PG fees + GST)
Refund fees, chargeback fees, international FX markups
Cost of operations: time saved in reconciliation and support tickets
Business model: retail, services, subscriptions, marketplaces
Needed methods: UPI, cards, netbanking, EMI, international
Risk profile: high-risk categories may face onboarding restrictions
Direct PA/PG (single provider)
Orchestration (multiple gateways behind one layer for higher success rate)
Store:
Signed agreement, SLA, pricing annexure
KYC approval confirmation
Settlement terms and dispute policy
Choose one:
Hosted checkout page (recommended for PCI scope reduction)
Drop-in UI + tokenization
Direct API (avoid handling card data yourself)
Webhooks for payment/refund events
Daily reconciliation: provider report vs your orders vs bank settlement
Success, failure, timeout, pending flows
Duplicate clicks (idempotency)
Refund full/partial
Chargeback simulation (where possible)
Webhook signature validation
import crypto from "crypto";
import express from "express";
const app = express();
// IMPORTANT: use raw body for signature verification
app.use(express.raw({ type: "application/json" }));
app.post("/webhook/payment", (req, res) => {
const secret = process.env.WEBHOOK_SECRET;
const signature = req.header("X-Signature"); // header name varies by provider
const payload = req.body; // raw buffer
const expected = crypto
.createHmac("sha256", secret)
.update(payload)
.digest("hex");
if (signature !== expected) {
return res.status(401).send("Invalid signature");
}
// Process event safely (idempotent)
const event = JSON.parse(payload.toString("utf-8"));
// TODO: update order status based on event.type and event.data
return res.status(200).send("OK");
});
app.listen(3000);
Most businesses mean:
Claim GST Input Tax Credit (ITC) on gateway/PA fees (if eligible)
Keep audit-ready evidence for finance/statutory audit
Section 16 of the CGST Act sets the base entitlement and conditions for ITC on supplies used in the course/furtherance of business, subject to conditions.
You are GST registered and the service is used for business
You have a valid tax invoice from the provider/reseller (with correct GSTIN fields)
You can evidence receipt of service (monthly statement, dashboard export)
Reconcile charges monthly and retain proof of payment
What usually carries GST?
Gateway fees / platform fees / subscription fees (provider invoice typically shows GST)
If you’re billed by a foreign entity, tax treatment can differ—handle via CA.
Provider invoices + credit notes (if any)
Settlement reports
Order vs settlement reconciliation
Refund and chargeback logs
Webhook event logs (summarized) for disputed periods
Fix
Enable multi-gateway routing or fallback
Implement retries for “pending” UPI status (with safe idempotency)
Reduce friction: optimize checkout page load and payment method ordering
Fix
Use Idempotency-Key on order/payment creation
Ensure order status transitions are atomic (DB transaction/locking)
Fix
Always implement “status pull” reconciliation job:
If no webhook received in X minutes, query payment status via API
Keep webhook endpoint highly available; retry-safe handlers
Fix
Always reconcile on:
Provider payment ID ↔ your order ID
Fees, taxes, net settlement amount
Account for refunds, chargebacks, and T+ settlement delays
Fix
Maintain a chargeback register with deadlines and evidence links
Automate notifications for response windows
Use hosted checkout/tokenization to minimize PCI scope
Enforce least privilege for dashboard access + MFA
Never log full card numbers, CVV, or sensitive tokens
Validate webhook signatures (HMAC) and reject unsigned requests
Store API keys in a secrets manager; rotate keys periodically
Use TLS everywhere and restrict webhook endpoint by IP allowlist if supported
Start with hosted checkout for fastest, safest deployment
Make all payment operations idempotent
Implement both webhooks + scheduled reconciliation
Maintain a monthly compliance/audit folder
Prefer providers with clear RBI-aligned operating posture and mature dispute handling
Keep PCI scope low by outsourcing card data handling to compliant processors
Payment gateways and aggregators are foundational e-commerce tools in India, combining regulated onboarding, secure transaction processing, and settlement operations. A solid implementation is one that:
selects providers based on coverage, reliability, compliance posture, and reconciliation maturity,
integrates using secure patterns (hosted checkout, webhook verification, idempotency),
and maintains clean documentation for GST ITC and audits under Section 16 principles.
#EcommerceIndia #PaymentGateway #PaymentAggregator #RBICompliance #UPI #NPCI #Cards #NetBanking #Checkout #HostedCheckout #Tokenization #PCIDSS #SAQA #Webhooks #HMAC #Idempotency #Reconciliation #Settlement #Refunds #Chargebacks #Disputes #MerchantOnboarding #KYC #KYB #APIs #FinTech #PaymentSecurity #MFA #LeastPrivilege #SecretsManagement #KeyRotation #FraudPrevention #RiskControls #MultiGateway #PaymentOrchestration #SuccessRate #AccountingIntegration #GST #ITC #Section16 #TaxInvoice #AuditReady #WooCommerce #Shopify #Magento #CrossBorderPayments #ComplianceChecklist
