Skip links
Let's Talk
Zethic Technologies LLP
  • 8 MIN READ
  • Views: 836

How to Create a Payment Gateway in India: Requirements, Steps & Legal Compliance

Picture of By Ram Nethaji

By Ram Nethaji

Founder

iOS App Development
Custom iOS App Solutions
User Experience Design
iPhone App Development
iPad App Development

Building a payment gateway in India is one of the most complex fintech challenges, involving RBI regulations, PCI-DSS compliance, banking partnerships, and real-time transaction systems. It goes far beyond just development and requires long-term operational commitment.

India processed over 14 billion UPI transactions in a single month in 2025, showing how deeply digital payments are embedded in everyday commerce. Because of this scale, many businesses are now considering whether to build their own gateway instead of relying on third-party providers.

The decision depends on transaction volume, business model, and the team’s ability to manage compliance and infrastructure. A well-executed gateway can improve margins and control, while a poorly planned one can become costly and difficult to sustain.

This guide explains how payment gateways work, the regulatory landscape in 2026, the build process, costs, and key challenges. 

What Exactly Is a Payment Gateway?

Many people confuse payment gateways, processors, and aggregators, but each serves a different role.

A payment gateway is the layer between a merchant’s checkout and banking systems. It captures payment details, encrypts them, and routes the transaction for approval within seconds.

A payment processor handles the backend communication between the gateway, acquiring bank, and issuing bank to complete the transaction.

A payment aggregator is a licensed entity that collects payments for multiple merchants and settles funds to them. Companies like Razorpay and PayU operate under this model.

In India, building a gateway often means building the full system including checkout, processing, and bank integrations. Businesses serving other merchants also need an RBI Payment Aggregator license.

How a Transaction Actually Works

Before building a gateway, it helps to understand exactly what it does during a live transaction. Here is what happens in the 2 to 3 seconds between a customer clicking “Pay Now” and seeing a confirmation on screen:

Customer submits payment

Card, UPI, or wallet details are entered on the merchant’s checkout page. The gateway classifies it as a card-not-present (CNP) transaction.

Encryption and tokenization

Payment data is encrypted immediately using SSL/TLS. A token replaces the sensitive card details so no raw card data travels in plaintext through the network.

Authorization request to the payment processor

Encrypted data is forwarded to the payment processor, which communicates with the acquiring bank (merchant’s bank) and the relevant card network (Visa, MasterCard, RuPay).

Issuing bank approves or declines

The customer’s bank checks available balance, fraud risk signals, and 2FA (OTP in India). An approval or decline code is returned to the processor.

Response returned to merchant

The gateway receives the authorization response and updates the merchant’s checkout page in real time. Approved transactions proceed to order fulfillment.

End-of-day settlement

Approved transactions are batched and submitted to the acquiring bank for settlement. Funds reach the merchant’s account on an agreed schedule: T+1, T+2, or real-time for UPI.

India-specific note: RBI’s 2022 circular requires all entities except card issuers and card networks to purge stored card data and move to tokenization. Any gateway storing card-on-file (CoF) data for recurring payments must use tokenization. It is a compliance requirement, not a design choice.

Let Zethic help you build smarter — Not just faster

Contact us

Should You Build Your Own Payment Gateway?

Most businesses do not need to build a payment gateway. Modern third-party solutions offer strong APIs, competitive pricing, and handle compliance, making them the practical choice for most use cases.

When building makes sense

  • High transaction volume where fees of 1.5% to 3% become significant over time
  • Business models like marketplaces or SaaS that require collecting and settling payments
  • Need for custom flows such as split payments, instant settlements, or embedded finance
  • Requirement for full control over payment data and compliance
  • Opportunity to generate revenue by offering gateway services to other businesses

When to think twice

  • RBI licensing takes 6 to 12 months and requires ₹15 crore net worth
  • Development requires deep expertise in payments, security, and compliance
  • Bank partnerships are difficult for new entrants
  • Ongoing operations like fraud monitoring, uptime, and audits add continuous overhead

Processing ₹10 crore monthly at 2% means ₹20 lakh in yearly fees, while building a gateway costs ₹1–2 crore upfront. The decision depends on long-term scale and execution capability.

Types of Payment Gateways

Before making architecture decisions, it helps to know which type of gateway you are building. Each type carries different compliance obligations:

Hosted Gateway

Customers are redirected to a third-party hosted payment page. Lower compliance burden for the merchant, but limited control over checkout UX.

Self-Hosted Gateway

Checkout remains on the merchant’s server, but data is sent to a third-party processor for handling. More UX control, higher PCI-DSS scope.

API-Hosted Gateway

Fully custom checkout via APIs. The merchant owns the entire payment flow and all underlying data. Full PCI-DSS Level 1 compliance is required. Most custom-built gateways in India follow this model.

Companies building a proprietary gateway in India are almost always building the API-hosted variant, which means taking on the full scope of PCI-DSS Level 1 compliance and data security obligations.

Regulatory and Legal Requirements in India

Compliance is the foundation of a payment gateway. It affects how the system is built, how it operates, and whether it can legally function.

RBI Licensing

Businesses that collect and settle payments for merchants must obtain a Payment Aggregator (PA) license from RBI.

Key requirements include:

  • Minimum net worth of ₹15 crore, increasing to ₹25 crore within three years
  • Company must be registered under Indian law
  • Promoters must pass RBI’s financial and background checks
  • Mandatory escrow account for handling merchant funds
  • Defined KYC and onboarding process for merchants

Companies that only provide technology without handling funds may qualify as Payment Gateway (PG) providers, which have lighter compliance requirements.

The Full Compliance Landscape

PCI-DSS Level 1

The global standard for card data security. Gateways processing over 6 million transactions annually require Level 1 certification, including annual on-site audits by a Qualified Security Assessor (QSA).

KYC & AML

RBI mandates Know Your Customer verification for all merchants and, in certain cases, customers. Anti-Money Laundering frameworks require ongoing transaction monitoring and suspicious activity reporting.

Data Localization (RBI 2018)

All payment system data related to Indian customers must be stored exclusively on servers within India, including full end-to-end transaction data. Foreign copies are not permitted without RBI approval.

RBI 2FA Mandate

All card-not-present (CNP) transactions in India require two-factor authentication, typically an OTP to the customer’s registered mobile number. No exceptions exist for Indian card transactions.

NPCI Regulations

Enabling UPI payments on a gateway requires NPCI approval and compliance with NPCI’s Procedural Guidelines for Third-Party Application Providers (TPAPs) and Payment Service Providers (PSPs).

DPDP Act 2023

India’s Digital Personal Data Protection Act requires explicit user consent for data collection, purpose limitation, and breach notification obligations. Payment data falls within its scope.

IT Act, 2000

Governs cybersecurity obligations, intermediary liability, and penalties for data breaches. Section 43A applies specifically to payment systems handling sensitive personal data.

Card-on-File Tokenization

Per RBI’s 2022 directive, entities cannot store actual card numbers. Any saved-card functionality must use tokenization via card networks. The token is stored, never the raw PAN.

Step-by-Step: How to Build a Payment Gateway in India

Building a production-ready payment gateway usually takes 12 to 18 months. The process typically follows these stages:

1. Define Business Model

Decide whether the gateway is for internal use or for other merchants. This determines licensing, scale, and compliance requirements.

2. Apply for RBI License

Register your company and submit the RBI application with business plans, financials, and compliance frameworks. Approval can take 6 to 12 months.

3. Partner with Banks and NPCI

Secure acquiring bank partnerships for settlements and apply for UPI access through NPCI. Banks evaluate risk, volume, and compliance readiness.

4. Build Core Infrastructure

Develop transaction systems, APIs, checkout interface, bank integrations, settlement engine, and fraud detection systems. Ensure high availability and no single point of failure.

5. Implement Security

Include encryption, tokenization, authentication, and fraud detection from the start.

6. Achieve PCI-DSS Certification

Complete security audits and compliance checks before going live.

7. Testing

Run sandbox and security testing to validate transactions, refunds, and settlements.

8. Go Live

After final approval, onboard merchants and start with a controlled rollout before scaling.

Technology Stack

There is no single standard stack for payment gateways, but most production systems follow similar patterns:

Layer

What You’re Building

Common Choices

Backend

Transaction processing, routing, auth logic

Java (Spring Boot), Node.js, Go

Frontend

Checkout pages, SDKs

React, Vue, React Native, iOS/Android

Database

Transactions, merchant data

PostgreSQL, Redis

Messaging

Events, retries, webhooks

Kafka, AWS SQS

Fraud Detection

Risk scoring systems

Python ML models, third-party APIs

Infrastructure

Compute, storage, networking

AWS / GCP India regions

Monitoring

Uptime, logs, alerts

Datadog, ELK, CloudWatch

Important principles

  • Ensure idempotency so duplicate requests do not create duplicate transactions
  • Build failover systems to handle bank or provider downtime

What It Actually Costs

Cost Category

INR (₹)

USD ($)

Core Development

₹40L – ₹80L

$48,000 – $96,000

PCI-DSS Certification

₹8L – ₹20L

$9,600 – $24,000

RBI Compliance

₹5L – ₹10L

$6,000 – $12,000

Bank Deposits

₹20L – ₹50L

$24,000 – $60,000

Infrastructure (Year 1)

₹8L – ₹20L

$9,600 – $24,000

Fraud Systems

₹5L – ₹15L

$6,000 – $18,000

Annual Maintenance

₹10L – ₹15L

$12,000 – $18,000

USD values are approximate based on ₹83 per $.

A fully compliant payment gateway typically costs ₹1 crore to ₹2 crore ($120,000 – $240,000) in the first year, excluding the ₹15 crore net worth requirement.

Lower estimates usually indicate incomplete systems without proper compliance.

A practical approach is to build in phases. Start with core features, launch with limited merchants, and expand based on real usage and demand.

Challenges to Plan For

The RBI timeline is longer than most teams expect

Plan for 6 to 12 months from application submission to operational approval. During that period, the technical team can build, test, and prepare for compliance audits, but live transactions cannot be processed. The wait is predictable. What is less predictable is the number of query rounds RBI sends back before approving. Do not understaff compliance preparation in hopes of moving faster.

Banking partnerships take longer than a cold outreach

Acquiring banks want to see transaction volume projections they can believe, a credible fraud and chargeback framework, and promoters with financial services track records. Teams without prior banking relationships should expect longer timelines and should consider working with a fintech consultant or legal advisor who already has those relationships.

Fraud and chargebacks require ongoing operational attention

Once live, fraudulent transactions, friendly fraud, and chargebacks need to be managed continuously. Chargeback rates must stay under 1% to maintain card network relationships. Sustained rates above that threshold can lead acquiring banks to terminate the account. Real-time fraud detection, proper 3DS implementation, and a dedicated disputes team are not optional at any meaningful transaction volume.

Security compliance does not have an end date

PCI-DSS certification is an annual audit, not a one-time milestone. New attack vectors, updated CVEs in third-party dependencies, and internal security hygiene all require ongoing attention. Treat security as a continuous program, not a project with a completion date.

Uptime is a merchant commitment, not just a technical goal

Payment gateways operate around the clock. Research on payment platform outages has shown measurable revenue drops for merchants when gateway availability drops even briefly. SLA commitments to merchants typically require 99.9% or higher uptime, which requires multi-region redundancy, automated failover, and 24/7 on-call engineering coverage.

Where Payment Gateways in India Are Headed

Several regulatory and technology shifts are already in motion. Teams building gateways in 2026 should account for these when making architecture decisions:

UPI Credit Line and BNPL Integration

RBI has enabled credit lines on UPI. Gateways that support credit-on-UPI at checkout will have a measurable advantage in conversion rates for merchants selling higher-value goods.

₹ Digital Rupee (CBDC)

RBI’s e-Rupee pilots are expanding in scope. Gateways will eventually need CBDC integration, particularly for government-facing and enterprise payment flows where programmable money has practical applications.

AI-Driven Fraud and Risk Scoring

Static rule-based fraud detection is being replaced by adaptive ML models. Real-time behavioral analytics, device intelligence, and cross-merchant fraud pattern sharing are increasingly standard in production systems.

Blockchain-Based Settlement

Blockchain settlement rails are being explored for B2B and cross-border payments, reducing settlement time and enabling atomic transaction finality without traditional clearing cycles.

Recurring Payments on UPI

UPI AutoPay adoption is accelerating for subscriptions and EMI payments. Gateways with solid recurring infrastructure will be well-positioned for the growing SaaS and subscription commerce segment.

Cross-Border UPI Expansion

NPCI International is extending UPI access to Singapore, UAE, UK, and other markets. Gateways with international UPI capability will be able to serve the Indian diaspora and growing inbound payment flows from international tourists.

Let Zethic help you build smarter — Not just faster

Contact us

Building a Payment Gateway? Let's Talk.

Zethic works with fintech startups and enterprises on RBI-compliant payment infrastructure, from architecture planning and PA license preparation to API development and PCI-DSS readiness. If a build is on the roadmap, speaking with the team early tends to save time and money in the later stages.

Frequently Asked Questions

Yes. Businesses that aggregate payments on behalf of multiple merchants, collecting customer funds and routing them to merchant accounts, need a Payment Aggregator license from RBI. Businesses providing only the technology infrastructure without touching funds may qualify as a Payment Gateway service provider under a lighter regulatory category. Operating without clarity on which category applies is a compliance risk.

Realistically, 6 to 12 months from application submission. RBI commonly sends queries requiring additional documentation or clarification, which extends the timeline. Applications that are complete and well-documented with a credible compliance framework tend to move through faster. There is no guaranteed timeline, so fundraising and product development planning should account for the full range.

For an RBI Payment Aggregator license, the minimum net worth is ₹15 crore at the time of application, scaling to ₹25 crore within three years of authorization. Beyond that, development costs of ₹1 crore to ₹2 crore, banking security deposits of ₹20 to 50 lakh, and compliance costs should be budgeted. Total capital outlay before going live typically falls in the ₹2 to 3 crore range, separate from the net worth requirement.

It is possible, but RBI applies meaningful scrutiny to promoter background, financial history, and the credibility of the business plan. Having at least one founding team member with financial services, banking, or payments experience strengthens the application. Engaging a fintech compliance consultant during the application process is strongly recommended for teams applying for the first time.

Integrating means connecting an application to an existing gateway like Razorpay or PayU via their APIs. It typically takes a few days of engineering work. Building means creating the gateway infrastructure itself: the transaction engine, bank connections, security systems, compliance programs, and merchant-facing APIs. The two are completely different in scope, cost, and timeline. Most businesses should integrate. Building makes sense for a narrower set of companies at sufficient scale with the right team in place.

At a minimum: UPI, debit and credit cards (Visa, MasterCard, RuPay), net banking, and popular wallets. For a competitive gateway, also consider UPI AutoPay for recurring payments, UPI credit line (RuPay credit on UPI), BNPL integrations, and international card support for cross-border transactions. India is predominantly UPI-first. A gateway without strong UPI support will struggle with merchant adoption regardless of how well everything else is built.

Let’s build your app together

Table of Contents

zethic-whatsapp