MERCHANT
ON-BOARDING POLICY
Introduction
Our Merchant On-Boarding Process is simple, secure, and robust to ensure thorough assessment, evaluation, and judgment of our prospective partner merchants for availing our services.
We have an independent Risk Team that finalizes the merchant on-boarding process. This team will work independently making their own assessments and evaluations after receiving individual sets of data that is collected from the Merchants through merchant onboarding form. This team is responsible for doing assessment on the given Merchant application and activating the Merchant account, simultaneously mitigating any probable bias and discard any ‘Objectionable Merchants’ that are either (or have in the past) carrying out business operations that do not comply and adhere to the enforced laws of the land or conduct businesses that have a high degree of risk that could possibly lead to cheating or defrauding people and invariably leading to any legal disputes.
Our assessment and evaluation processes followed have been diligently drafted primarily on the guidelines and rules framed by the RBI (vide Notification DPSS.CO.PD.No.1810/02.14.008/2019-20 Dt. 17/03/2020), advice and counsel of our banking partners and renowned consultants, prevailing industry best practices and our own zeal to provide our Merchants and Customers a safe, trusted, reliable and a secure platform to allow exchange of payments across. These assessments, evaluations and processes are updated from time to time as per the regulatory guidelines formulated and enforced.
Scope
The merchant On-boarding policy’s scope is broadly covered as per the following:
GVPIL shall undertake background and antecedent check of the merchants, to ensure that such merchants do not have any mala fide intention of duping customers, do not sell fake / counterfeit / prohibited products.
In case GVPIL is maintaining an account-based relationship with the merchant, the KYC guidelines of RBI, in their “Master Direction – Know Your Customer (KYC) Directions' ' updated from time to time, shall apply mutatis mutandis to Parties.
Payment Application Security: Payment applications shall be developed as per PA-DSS guidelines and complied with as required. GVPIL shall review PCI-DSS compliance status as part of merchant On-boarding process.
GVPIL shall be responsible to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded. GVPIL needs to ensure compliance of the infrastructure of the merchants to security standards like PCI-DSS and PA-DSS, as applicable.
Merchant site shall not save customer card and such related data, a security audit of the merchant may be carried out to check compliance, as and when required. GVP Infotech Limited Merchant On-boarding Policy.
GVPIL shall ensure that the Merchants thus on-boarded comply with the following regulations and /or industry standards.
Provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time.
Not storing customer card credentials and such related data and customer card authentication details within the database or the server accessed by the merchant. Merchants are not allowed to store payment data irrespective of their being PCI-DSS compliant or otherwise. They shall, however, be allowed to store limited data for the purpose of transaction tracking; for which, the required limited information may be stored in compliance with the applicable standards.
Data Sovereignty: GVPIL shall take preventive measures to ensure that a Merchant does not store data in infrastructure that belongs to jurisdictions which may be physically located outside India. Appropriate controls shall be considered to prevent unauthorised access to the data.
GVPIL shall have a proper agreement in place for on-boarding.
GVPIL shall ensure that no transaction or account-based relationship is undertaken without following the Customer Due Diligence (CDD) procedure as per RBI’s Master Directions on KYC, as updated from time to time.
Agreement with merchants shall have provision for security / privacy of customer GVPIL’s agreement with merchants shall include compliance to PA-DSS and incident reporting obligations.
GVPIL shall obtain periodic security assessment reports either based on the risk assessment (large or small merchants) and / or at the time of renewal of contracts.
GVPIL shall undertake comprehensive security assessment during merchant On-boarding process to ensure that RBI’s minimal baseline security controls are adhered to by the merchants.
GVPIL shall also ensure that the Merchant complies with the terms and conditions of the Acquiring Banks it has entered into agreement with, for On-boarding merchants.
Merchant On-boarding
The GVPIL understands that merchant on-boarding is one of the key facets while undertaking business operation, as it covers critical aspects viz. evaluation of merchant’s business, Know Your Customer (KYC) of merchants, risk assessment, etc. to mitigate any potential risk. The GVPIL will leverage upon the Merchant Management System (MMS), which will act as a critical tool to run the merchant acquiring program. The MMS tool will enable the GVPIL to undertake necessary risk assessment and KYC process of merchants (including Ultimate Beneficial Owner).
On-boarding Platforms:
The GVPIL will on-board the merchants via any of the following ways:
On-boarding through sales or activation teams – Where merchants will be on-boarded through Operations Team.
Merchant On-boarding will comprise of below steps / stages:
The GVPIL has adequate systems in place for merchant On-boarding that helps them to collect and process the necessary details. The GVPIL also has an internal list of certain banned businesses as annexed after this process, to evade On-boarding those merchants which are unacceptable or pertains to high-risk industries. Step by step process envisaged for merchant On-boarding in both the processes is encapsulated below:
Merchant will be on boarded in 2 methods:
Merchant to be sourced by the online merchant onboarding or sales team.
Or partners will be on boarded directly in the Merchant Management System.
partner teams will be provided online Merchant management system to onboard merchant on the platform.
Onboarding team will scrutinise the documents and information received, and complete applications by doing due diligence based on information captured during onboarding.
The Earlier process was manual and now changed to an online process using the merchant onboarding system.
In both flows, Merchant or relevant teams will complete the below stated mandatory fields
Company Registered Name
Doing Business Name
Type of Business
Website Address
Business Address
Contact Details (Email Address & Mobile Number)
Business PAN and Aadhaar number
Signing Authority PAN number
Signing Authority Aadhaar number
GST number
Bank Account Details (For settlement)
Bank Name
Bank Account Number
IFSC Code
Branch Name
Account Type
Note – This constitutes the multiple pages of onboarding process.
The Company will obtain the merchant's business registered name and address, business profile, website address, contact details (email & mobile number), PAN and GST details, signing authority PAN and Aadhaar, bank account details (for settlement), etc.
Once the above details are obtained, the Company will trigger relevant API’s to validate the details via respective issuing authorities the PAN, GST details, Aadhaar and bank account details provided by the company has partnered with service provider’s to instantly verify PAN / GST / Aadhaar (As per relevant guidelines) & Bank account via their API’s; Services Consumed: Pan Validation, Aadhaar Validation, GST Validation). Instant validation at field level – As the merchant enters the relevant details, the validation API is triggered and validates the data point immediately. The benefit here is that the entire loop of repeating at the end of the exercise of completing the form in case of any errors is reduced.
Correct – We activate the merchant and proceed ahead for merchant to upload below docs for backend verification.
Cancelled Cheque.
Document copies (Refer KYC Documents below).
In-correct – Merchant will be prompted to re-attempt this point again post checking the details at their end.
Post activation, Merchant can now download API keys from Merchant dashboard console and initiate integration.
Settlement will be on HOLD.
Simultaneously, Operations Team will also undertake background / antecedent checks on the merchants. Furthermore, a check of all Directors, Promoters, Shareholders, and top management of the Prospective Merchant is conducted against government sanctioned lists, enforcement lists, credible diverse media, public court records, geography specific research, third party contributors, client requests, etc.
On successful verification in backend by ops team, team will complete checks in the Merchant Management System, on the documents uploaded by the merchant and activate settlements for the In case of any discrepancy in the information/ details provided by the merchant, it will be flagged off to sales SPOC’s or merchant SPOC’s via email or SMS engine, so that they can confirm and re-check the details, and needful can be done to correct the documents, and settlement will be left on HOLD till discrepancies are sorted.
Once all the documents are verified the information is passed to the relevant acquiring payment solutions for activation.
The relevant acquiring solution will also do their relevant due diligence before activating the payment collection services for merchant onboarded by GVPIL.
Merchant will now be fully activated for accepting payment.
On completion of this step, merchant will be shown a landing page in his console stating “Thank you for completing the process! We will get back to you on your registered email address on further steps. We thank you for your association.”
Operations Team will assess and complete risk management checks through an internal risk assessment method which helps in categorizing merchants as High, Medium, or Low basis the type of business and background verification results.
Further basis the category of the merchants, the Company will decide whether any collaterals or security would be required from such merchant while On-boarding the merchants on the platform.
GVPIL will also screen merchants against a database of restricted category of merchants as per card network/ association, which will be maintained and updated from time to time.
On an ongoing basis, the GVPIL will update the risk category of the merchant basis the transaction history and the Chargeback Threshold Ratio (CTR).
Merchant prerequisites & Documents Workflow
There is a maker and checker/approver involved wherein all details entered at the time of Onboarding/Sign up by a maker/Merchant is validated by the checker.
Maker/Self Sign up – On-boarding
All documents and prerequisite information are entered along with required validation at the time of Maker On-boarding and merchant self-sign up.
Maker/Merchant sign up portal will not be able to submit the application in case of incomplete application.
Checker/Approver – On-boarding
Checker validates all prerequisite information along with the documents uploaded with validation at the time of On-boarding to either approve/reject the merchant.
KYC Table
Below is the suggestive list and detailed list is available the KYC policy.
KYC Documents | ||
Particulars | Mandatory / Optional | Descriptions |
Cancelled Cheque | Mandatory | Cancelled cheque of the merchant’s business account under which the settlements are to be made. |
PAN Card | Mandatory | A copy of PAN card should be signed by authorized signatory and stamped with merchant’s business (company) seal. |
Government Issued Business Certificate | Mandatory | A copy of Registration Certificate and MOA, AOA should be signed by authorised signatory and stamped with merchant’s business (company) seal. |
Documents of the signing authority | Mandatory | Copy of Identity Proof and Address Proof to be self-attested & stamped with merchant’s business (company) seal. PAN, Passport, Aadhaar, Voter’s ID card. |
Business Address Proof | Mandatory | Electricity Bill, Landline Bill, Copy of Rent Agreement |
Financials | Optional | Financials of last 2 financial years |
Bank Statement | Optional | Last 3 months bank statement |
Turn Around Time (TAT)
Activation – Instant on submission and validation of Merchant will be activated on test mode and will be able to integrate with our gateway.
Settlement – This will be done on verification of KYC docs, TAT for the same will be 4 hours post KYC validation.
Upon completion of the On-boarding process the merchant will be provided access to the Merchant Panel which consists of the following features:
Dashboard – Summarised view of Transactions/ Settlements/ Modes of Transactions
Transactions – Details of individual transactions triggered through GVP Simplified Digital Payments Solution
Settlement – Settlement information regarding amount settled to merchant date
Refunds – Information regarding all the refunds for transactions triggered through the GVP Simplified Digital Payments Solutions
Chargeback – Workflow and view of all chargebacks
Web Terminal – Capability to generate payment links to be sent to consumers via SMS or Email
User Management – User Access Management for users of Merchants
Notifications – Notifications for payment statuses
Merchant On-boarding Flow (Indicative)
Restricted businesses
Following is a list of categories which are banned for accepting payments online. If any of the merchants is found accepting payments on the following categories, then it would be heavily penalized along with the termination of services.
Adult goods and services which includes pornography and other sexually suggestive materials (including literature, imagery, and other media); escort or prostitution services; Website access and/or website memberships of pornography or illegal sites.
Alcohol which includes alcohol or alcoholic beverages such as beer, liquor, wine, or champagne.
Body parts which include organs or other body.
Bulk marketing tools which include email lists, software, or other products enabling unsolicited email messages (spam).
Cable descramblers and black boxes which includes devices intended to obtain cable and satellite signals for free.
Child pornography which includes pornographic materials involving minors.
Copyright unlocking devices which include mod chips or other devices designed to circumvent copyright protection.
Copyrighted media which includes unauthorised copies of books, music, movies, and other licensed or protected materials; Copyrighted software which includes unauthorised copies of software, video games and other licensed or protected materials, including OEM or bundled.
Counterfeit and unauthorised goods which includes replicas or imitations of designer goods; items without a celebrity endorsement that would normally require such an association; fake autographs, counterfeit stamps, and other potentially unauthorised goods.
Drugs and drug paraphernalia which includes illegal drugs and drug accessories, including herbal drugs like salvia and magic mushrooms.
Drug test circumvention aids which include drug cleansing shakes, urine test additives, and related items.
Endangered species which includes plants, animals, or other organisms (including product derivatives) in danger of extinction.
Gambling which includes lottery tickets, sports bets, memberships/ enrolment in online gambling sites, and related content. Skill based games can be allowed on case-to-case basis.
Government IDs or documents which includes fake IDs, passports, diplomas, and noble.
Hacking and cracking materials which includes manuals, how-to guides, information, or equipment enabling illegal access to software, servers, website, or other protected property.
Illegal goods which include materials, products, or information promoting illegal goods or enabling illegal acts.
Miracle cures which include unsubstantiated cures, remedies or other items marketed as quick health fixes.
Offensive goods which include literature, products or other materials that: Defame or slander any person or groups of people based on race, ethnicity, national origin, religion, sex, or other.
Encourage or incite violent acts; or Promote intolerance.
Offensive goods, crime which includes crime scene photos or items, such as personal belongings, associated with criminals.
Pyrotechnic devices, combustibles, corrosives, and hazardous materials which includes explosives and related goods; toxic, flammable, and radioactive materials and substances.
Regulated goods which include air bags; batteries containing mercury; Freon or similar substances/refrigerants; chemical/industrial solvents; government uniforms; car titles; license plates; police badges and law enforcement equipment; lock-picking devices; pesticides; postage meters; recalled items; slot machines; surveillance equipment; goods regulated by government or other agency specifications.
Securities which include government bonds or related financial.
Tobacco and cigarettes which includes cigarettes, cigars, chewing tobacco, and related.
Traffic devices which include radar detectors/jammers, license plate covers, traffic signal changers, and related products.
Weapons which include firearms, ammunition, knives, brass knuckles, gun parts, and other.
Wholesale currency which includes discounted currencies or currency.
Live animals or hides/skins/teeth, nails, and other parts of animals.
Multi-level marketing collection.
Matrix sites or sites using a matrix scheme.
Work-at-home approach and/or work-at-home.
Drop-shipped.
Any product or service which is not in compliance with all applicable laws and regulations whether federal, state, local or international, including the laws of India.
The User providing services that have the potential of casting the payment gateway facilitators in a poor light and/or that may be prone to buy and deny attitude of the cardholders when billed (e.g., adult material/ mature content/escort services/ friend finders) and thus leading to chargeback and fraud losses.
Businesses or website that operate within the scope of laws which are not absolutely clear or are ambiguous in nature (e.g., web-based telephony, website supplying medicines or controlled substances, website that promise online matchmaking).
Businesses out rightly banned by law (e.g., betting & gambling/ publications or content that is likely to be interpreted by the authorities as leading to moral turpitude or decadence or incite caste/communal tensions, lotteries/sweepstakes & games of chance.
The User who deals in intangible goods/ services (e.g., software download/ health/ beauty Products), and businesses involved in pyramid marketing schemes or get-rich-quick schemes.
Any other product or service, which in the sole opinion of either the Acquiring Bank, is detrimental to the image and interests of either of them / both, as communicated by either of them/ both to the User from time to This shall be without prejudice to any other terms & conditions mentioned in these Terms of Use.
Mailing.
Virtual currency, crypto currency, prohibited investments for commercial gain or credits that can be monetized, re-sold, or converted to physical or digital goods or services or otherwise exit the virtual world.
Money laundering.
Database providers (for tele-callers).
Bidding/auction.
Activities prohibited by the Telecom Regulatory Authority of India; and
Any other activities prohibited by applicable regulatory and statutory authorities.
On-boarding Risk Rules
Sr. No. | Use Cases | Rules |
1 | MCC Validation | SET MCC |
2 | Risk Classification of Merchants | Low / Medium / High / Critical |
The following are the On-boarding Risk Rules:
MCC Validation workflow
Ops team user should have role-based access to view this functionality following are
MCC validations are done basis the details provide by the merchant at the time of onboarding
Request for MID/TID are raised with the respective partner banks/Aggregators
MID/TID received from the partner banks/Aggregator are configured for the merchant at the time of On-boarding
MCC Assignment Process
Once all the documents are verified, as a part of the onboarding process the team will suggest a suitable MCC pertaining to the Merchant’s Line of Business, this suggested MCC and the other required information is passed to the relevant acquiring payment solutions for activation.
The relevant acquiring solution will also do their relevant due diligence before activating the payment collection services for merchant onboarded by GVPIL.
As part of their due diligence process, the relevant acquiring solution will either approve the Merchant Category Code (MCC) recommended by GVP or reject it and notify the same to GVP.
In the event of approval, the merchant will be onboarded and activated under the recommended MCC for payment acceptance.
In the event of a rejection, GVP shall recommend an alternative MCC for the same merchant, following which the merchant shall be onboarded under the newly proposed MCC, subject to approval by the acquiring solution.
Risk Classification of Merchants workflow
Risk classification of the merchants are done basis the predefined SOP and the banned category list maintained and updated time to time by the ops team.
Merchants are classified as Critical/High/Medium or low risk merchants at the time of Onboarding.
At the time of On-boarding When Merchant Sign-Up on GVP for its Service we collect Required KYC Document as per the Business Sector or Business type.
After the On-boarding Backoffice ops Team verify the Document and understands the Line of Business/Nature of business we firstly categorise the merchant based on their Nature of Business or line of business.
At second level of verification, we have adopted AML Screening tool for Screening of merchants, individual, business.
AML screening of is a very important and mandatory part for GVP Infotech Limited as Payment Aggregator.
Using AML screening we investigate National or internal databases such as UN /US or UK sanctions Lists, Politically Exposed Person (PEP) Checks, AML checks using Entity or Individual Details.
Based on AML Screening Results we again categorise the merchants into Critical/High/Medium or Low Risk category.
Now in 3rd Step Ops Team calculate the Overall Risk Score of merchants based on LOB checks and AML Checks and give them a final Risk Score based on which ops team can handle the different cases.
Merchants classified as ‘Critical’ are those identified either under the prohibited or banned categories maintained and periodically updated by the operations team, or assessed as critical-risk pursuant to the enhanced due diligence conducted during the onboarding process or at any time thereafter. Any merchant designated as ‘Critical’ pursuant to such risk assessment shall be ineligible for onboarding onto the platform, and if such classification is made post-onboarding, the merchant shall be subject to immediate off-boarding.
RA Score Calculation Model
Line of Business Checks and website Checks
This is the very first step taken by ops team when a merchant on boarded himself on GVP Website ops team validate his document and checks website for the type of products and services and restricted business etc and based on that give a risk Score as per the industry standard below given table is followed by ops team for giving a risk score and this can be updated as per business requirement.
Risk Category | Nature of Business | Risk Score Range | Type of Line of Business (LOB) |
Low Risk | Retail, Education, Services | 0–1 | Grocery stores, educational services, Healthcare |
Medium Risk | Hospitality, Food Delivery | 1.1–3 | E-commerce platforms, Travel agencies, Subscription based services |
High Risk | Gaming | 3.1–4 | Digital marketing, Gaming platforms |
Critical Risk | Adult Content, Firearms, Cryptocurrency | 4.1–5 | Gambling, Adult content, Cross-border remittance, Crypto exchanges, Firearms |
AML Screening and PEP checks
While Scoring Based on AML Checks GVP’s Fraud Risk and Compliance Team Uses AML Screening tool to perform risk assessment of merchant by investigating details on international and national databases. Based of the result we give them a Risk Score as per the below mentioned table this table can be changed as per the industry standards and business requirement.
Risk Category | Risk Score Range | Screening Type | Description |
Low Risk | 0-1 | AML Screening | No hits on sanction lists, clean adverse media check, and fully verified business operations. |
Medium Risk | 1.1-3 | Sanction Checks Database | Minor matches or false positives in global/domestic watchlists; limited adverse media mentions. |
High Risk | 3.1-4 | PEP Checks | Indirect association with politically exposed persons (PEPS) or presence in adverse media requiring verification. |
Critical Risk | 4.1-5 | AML+ Sanction Database + PEP Combined | Direct matches with sanction lists, confirmed association with flagged entities, or critical adverse media coverage. |
Overall Risk Profiling of Merchants
Once AML Screening, website checks and document verification is done by Ops team and Risk team. Operations team evaluate the merchants Risk category based on both checks and create a overall risk profile of merchant. This risk profile is created using Permutation and Combination of each possibility.
LOB Category | AML Screening Risk | PEP Check Risk | Risk Score Range (0–5) | Overall Risk Score (0–5) | Description |
Low Risk | Low Risk (0–1) | Low Risk (0–1) | 0-1 | 1 | Merchant operates in a low-risk LOB and has clean AML and PEP screenings. Minimal monitoring needed. |
Low Risk | Low Risk (0–1) | Medium Risk (1–3) | 1-3 | 2 | Merchant is low-risk in LOB but has some medium risk in PEP (e.g., association with low-level PEPs). |
Low Risk | Medium Risk (1–3) | Low Risk (0–1) | 1-3 | 2 | Low-risk LOB with minor issues in AML (false positives or small adverse media hits). |
Low Risk | Medium Risk (1–3) | Medium Risk (1–3) | 3 | 3.5 | Merchant has medium-risk AML and PEPs; needs enhanced due diligence and monitoring. |
Medium Risk | Low Risk (0–1) | Low Risk (0–1) | 1-3 | 2 | Merchant operates in a medium-risk LOB with clean AML/PEP results. Moderate monitoring required. |
Medium Risk | Low Risk (0–1) | Medium Risk (1–3) | 2-4 | 3 | Medium-risk LOB with PEP risks (e.g., indirect connections with PEPs). |
Medium Risk | Medium Risk (1–3) | Low Risk (0–1) | 2-4 | 3 | Merchant has medium AML risk but low PEP risks; requires enhanced due diligence for potential AML issues. |
Medium Risk | Medium Risk (1–3) | Medium Risk (1–3) | 3-4 | 3.5 | Merchant has medium-risk AML and PEPs; thorough investigation needed for both AML and PEP associations. |
High Risk | High Risk (3-4) | Low Risk (0–1) | 3-4 | 3.5 | High-risk LOB with clean AML and PEPs; frequent monitoring of transactions and periodic reviews required. |
High Risk | High Risk (3-4) | Medium Risk (1–3) | 4 | 4.5 | High-risk LOB with substantial PEP exposure and significant AML issues. Immediate review required. |
High Risk | High Risk (3-4) | High Risk (3-4) | 5 | 5 | High-risk LOB with critical AML and PEP risks; immediate freeze, reporting, and in-depth investigation. |
Business Specific Documentation Requirement
Complete a Merchant Agreement with each merchant, must meet Association minimum requirements, which pertain to: honouring cards, Prohibitions, Cardholder account information security etc.
Legal Department
The Legal Department shall be responsible for the preparation, periodic review and event-triggered review of the Merchant Agreement.: Such reviews may be undertaken at regular intervals or upon the occurrence of a material legal, regulatory, or operational event.
The Merchant Agreement shall, where applicable, include provisions dealing with the following -
amending the merchant agreement
chargeback conditions
fees and charges
freezing funds
merchant liability
terminating the agreement
Policy which requires to have a clause that indemnifies GVPIL from Issuer losses related to information security compromises where appropriate and legally permitted.
The Merchant Agreement shall also prohibit Merchants from adding sub-merchants unless approved by Underwriting and Risk Management teams.
Additional Documents
Banks might seek few additional documents for certain merchants. Eg. Financial statements which should adhere to the following guidelines: a). Financial statements should include 1- or 2-years’ balance sheet, 1- or 2-years’ income statement (Profit and Loss) and any accompanying notes. b). For applicants in business less than 2 years, draft financial results or a business plan should be obtained. c). Business turnover to be verified through the last 6 months’ bank statements. Only Current Account statements are acceptable and the legal name or DBA (Doing Business as) of the merchant should reflect in the account statement.
Additional Validation Checks by Risk team
Merchant dealing in Retails & Shopping category need to pass through few additional checks created by Risk team (Risk Ops). Few validation checks performed by Risk Ops are as below: Business location – Verify if the location belongs to popular fraud merchant zones. Product sold – Determine if the product/service pricing are at par with market pricing or available with some lucrative offers. Delivery timeframe and conditions – To determine the potential risk with respect to Delivery method and timing. Privacy Statement – Review privacy policy. It should mention that confidential customer details would not be shared.
Moderate Risk Businesses & Unacceptable LOB
Merchants under these categories would be decided on a case-to-case basis depending upon the profile of the customer. In such cases, additional documentation maybe required as well as certain business approvals maybe required. Negative LOB Update: Work from Home /MLM identified/seems to be duping schemes are not allowed & are considered as negative LOB, other WFH scheme where attractive /forgery/unrealistic monetary offers are not provided.
To define in detail with For ex: Crowd Funding /NGO /Online Gaming.
Ayurveda Merchants: Specific Guidelines to be followed as per constitution of the merchant.
Roles and Responsibilities
Every employee within the On-boarding team is responsible for ensuring compliance of the clauses of the Merchant Onboarding Policy as per organisation standard policy. Any deviation in judgment is to be approved by key management personnel in writing.
Any exception for merchant validation (non-regulatory) to be approved by Business Head/Head of Department. Any waiver in document requirement for merchant on boarding and validation to be approved by Business Head/ Head of Risk GVP Infotech Limited Merchant On-boarding Policy.
All agents within team will follow a predefined hierarchy based on their approval authority. The risk team’s initial review carries with it the responsibility for approving a prospective merchant and, if necessary, forward on the application for further approval to the required authority. 6. List of all On-boarding teams /stakeholder: (To be Provided by Business Team).
Exceptional/ Additional Scenarios at Risk Assessment stage: Big Brands entering Indian market/ launching new products detailed RA can be relaxed for certain categories -
If there are less than 5 unique products on the website/APP, on board them only with certain Limits (for example 100 K limits irrespective of their LOB).
Negative Line of Business (LOB) check for Company’s PG and Wallet services.
While on boarding the merchants for offering Wallet and / or PG services, Company’s team will observe the following guidelines:
Unqualified / Negative Businesses – Merchants under these categories cannot be on boarded by the Please do not solicit these accounts as they are outside of policy guidelines both due to regulatory reasons as well as due to business/strategic reasons.
Negative Businesses due to compliance reasons– Merchant under these categories can be on boarded after discussion with Risk / compliance team.
Merchant Justification Log
MCC Justification Log, capturing key data points such as the merchant’s profile, business verification outcomes, relevant documentation, recommended MCC, and the identity of the reviewing personnel. This log is to be securely maintained and readily available for audit and supervisory examination.
Addendum Process
Purpose of Addendum:
To record: Web /App URL Addition, Web/App URL change, Revised Rates/Commercial Change, Product inclusion / deletion.
Web /App URL Addition: If merchant is already live with us on any Platform (Web/App) and merchant requires PG services on other Web/App URL with same legal entity then, Merchant needs to create a sub- account & raise the request of Addition of URL to sales.
Business team analyses the website and completes the checks on risk assessment and forwards the same to Risk Team for approval from Head of Risk.
Revised Rates/Commercial Change: If merchant wants to change the commercial or add any instruments the same needs to be done post approval of Head of Business with a copy marked / forwarded to the Risk Team.
The above Policy to reviewed periodically at least once a year and updated versions to be uploaded basis the trends / changes approved by the Board.
Documentation & Tracking
Maintain detailed logs of:
Training completion and attendance
Confirmations of policy acknowledgments
Merchant queries and clarifications
Data retention period: minimum 5 years
Auto-generate monthly reports for compliance and audit readiness
Non-Compliance Protocol
Merchants failing to complete mandatory trainings may:
Receive up to 3 follow-ups
Be temporarily restricted from transactions (if high-risk)
Be reported to Compliance for escalation
Repeated non-compliance may lead to offboarding
Merchant Off- Boarding
Conditions for Merchant Off-boarding
Payment Aggregators should consider off-boarding a merchant under the following circumstances:
Regulatory Non-Compliance:
Failure to adhere to Know Your Customer (KYC), Anti-Money Laundering (AML), and Combating Financing of Terrorism (CFT) guidelines as stipulated by the Reserve Bank of India (RBI).
Fraudulent Activities:
Engagement in deceptive practices, sale of counterfeit or prohibited products, or any activity intended to defraud customers.
Security Breaches:
Non-compliance with Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS), leading to data breaches or unauthorized storage of customer card information.
High Risk Metrics:
Consistently high chargeback ratios, fraud rates, or refund percentages that exceed industry benchmarks, indicating potential risk to the payment ecosystem.
Operational Issues:
Persistent customer complaints, failure to deliver goods/services, or other operational deficiencies that harm customer trust and satisfaction.
Legal or Regulatory Actions:
Involvement in legal proceedings, insolvency, or actions by regulatory bodies that impact the merchant's ability to operate lawfully.
Procedure for Merchant Off-boarding
Initiation of Off-boarding Process
Identify the triggering event (e.g., regulatory breach, fraud detection).
Document all evidence and rationale for initiating the off-boarding process.
Internal Review and Approval
Conduct a thorough internal review involving compliance, legal, and risk management teams.
Obtain necessary approvals from authorized personnel or committees as per the PA's governance structure.
Merchant Notification
Provide formal written notice to the merchant detailing:
Reasons for off-boarding.
Effective date of termination.
Any obligations or actions required from the merchant (e.g., pending settlements, data retrieval).
Settlement of Accounts
Ensure all pending transactions are settled.
Release any held funds after deducting applicable charges or penalties, if any.
Data and Access Management
Revoke the merchant's access to the PA's systems and platforms.
Ensure secure deletion or return of any sensitive data as per data protection policies.
Regulatory Reporting
Report the off-boarding to relevant regulatory authorities, if required, especially in cases involving fraud or significant compliance breaches.
Record Maintenance
Maintain comprehensive records of the offboarding process, including communications, approvals, and actions taken, for audit and compliance purposes.
Additional Considerations
Contractual Clauses:
Ensure that merchant agreements include clear terms regarding termination conditions, notice periods, and post-termination obligations.
Customer Communication
If necessary, inform affected customers about the merchant's offboarding, especially if it impacts pending transactions or services.
Continuous Monitoring:
Implement systems to monitor merchant activities continuously, enabling early detection of issues that may warrant offboarding.
Inactive Merchant Management
Process Flow
Step 1: Identification
Frequency: Monthly report generation via backend systems
Parameters: Last transaction date, merchant ID, activation status, risk profile
Output: List of potentially inactive merchants to be deactivated
Step 2: Internal Review
Performed by: GPV Operations/Risk Team
Checkpoints:
Merchant category (e.g., seasonal, dormant by design)
Onboarding channel
Recent complaints, disputes, or compliance flags
Last transaction date
Step 3: Merchant Notification
Channels: Email, SMS, and/or tele-call
Notification Content:
Inactivity alert
Request for confirmation on business continuity
Instructions for KYC update or reactivation
TAT for Merchant Response: 7 business days from notification
Step 4: Re-KYC and Verification (if merchant has not transacted for at least 11 (eleven) months)
Triggered if: Merchant expresses intent to continue
Required Documentation:
This will be considered as a new merchant onboarding and complete KYC, compliance, AML etc changes to be done
Updated PAN, business proof, address proof, and cancelled cheque
Declaration of business continuity or change
Verification Type:
Physical verification (for high-risk or flagged merchants)
Virtual verification (low/medium-risk merchants)
Review TAT: 5 business days from submission
Step 5: Final Decision and Action
Merchant reactivated if all checks are cleared
Permanent off-boarding if:
Merchant fails verification
No valid response within 15 days
Regulatory requirement or internal risk escalation
Approving Authority: Risk/Compliance Head, GVP
5. Deactivation/Off-boarding
Merchant status updated in the backend system (Suspended/Off-boarded)
Notification sent to merchant regarding the action taken
Access to GVP services revoked if off-boarded
Documentation & Record keeping
Maintain audit trail of:
Inactivity reports
Communication logs
Submitted documents
Approval records
Retention Period: Minimum 5 years (as per regulatory guidelines)
Timeline Summary
Activity | TAT |
Identification & Report Generation | Weekly |
Merchant Notification | Within 1 business day of identification |
Merchant Response | Within 7 business days |
Re-KYC Completion | Within 5 business days |
Final Action & System Update | Within 2 business days |
Security Controls for card data storage or access by Merchants
Conduct interviews with key merchant personnel involved in payment processing and systems management to understand card data flow and storage practices. Inquire specifically whether full card numbers, CVV codes, and expiration dates are retained in systems or databases.
Perform scans of the merchant's environment to identify potential storage locations of card data provided the merchant provides their own checkout page. Examine databases, log files, backups and archives for presence of PANs, expiration dates, or CVV codes. Utilise data discovery and classification tools as well as keyword searches.
Examine a sample of transaction records and receipts to determine if full card PAN or expiration date is present. Verify masking or truncation meets PCI DSS requirements.
Review configuration standards for all POS devices, payment applications, and servers involved in transaction processing to verify that storage of sensitive authentication data post authorisation is disabled.
Assess data retention policies and procedures to ensure cardholder data is securely disposed of within prescribed time limits once transaction is authorised.
Confirm proper logging and monitoring capabilities are in place to detect and alert for anomalies indicating potential unauthorised storage or handling of sensitive card data.
Validate that card data security responsibilities, policies and procedures are formally assigned, documented, and acknowledged by management.
General issues / Complaints
End User Specific (Through Merchants / Customers):
Refund issues
Transaction related issues
General Queries
Merchants/Customers specific:
Chargeback related issues
Transaction related queries and issues
Refund related explanations/issues
Payment options activation/deactivation requests
Settlement/Reports related
Integration/Tech related issues and queries
On-Boarding related issues and queries
Team handling complaints
Our teams undergo regular training to ensure that consumer’s queries and grievances are handled
in an appropriate manner. They are encouraged to work in a manner which helps us in offering a
first- time resolution and in turn build the consumer trust and confidence. This reflects in both the
operations as well as the customer communications.
Complaint Registration:
Customers / Merchants can register their grievances through various channels, including:
Email: Customers can send an email to our dedicated customer support email address, provided
on our website.
Phone: Customers can contact our customer support helpline, which is available during business
hours.
Online Form: We offer an online complaint form on our website, where customers can submit
their grievances.
Complaint Acknowledgement:
Once a complaint is received, we will acknowledge the complaint within 48 hours. The
acknowledgement will include a unique complaint reference number, which the customer can use
for future reference.
Investigation and Resolution:
We will initiate a thorough investigation into the customer's grievance. Our dedicated grievance
resolution team will review the complaint and take appropriate actions to resolve the issue. This
may involve contacting relevant parties, such as banks or merchants, to gather additional
information if necessary.
Timely Resolution:
We are committed to resolving customer grievances in a timely manner. We aim to provide a
resolution within Seven [7] business days from the date of complaint registration. However,
complex cases may require more time for investigation, and we will keep the customer informed
about any delays.
Communication and Updates:
Throughout the complaint resolution process, we will maintain regular communication with the
customer. We will provide updates on the progress of the investigation and inform the customer
about any additional information or documents required.
Escalation:
If a customer is not satisfied with the resolution provided, they can escalate their complaint. We
have a designated escalation mechanism where the complaint will be reviewed by a senior
management team member. The escalated complaint will be given priority, and efforts will be
made to address it promptly.
Final Decision:
Once the investigation is complete, we will communicate the final decision to the customer. If the
complaint is found valid, we will provide appropriate remedies or compensation as per our
internal policies. If the complaint is not upheld, we will explain the reasons behind the decision to
the customer.
Feedback and Continuous Improvement:
We value customer feedback and consider it essential for improving our services. After the
complaint is resolved, we may request customers to provide feedback on their experience and
suggestions for improvement. This feedback will be used to enhance our processes and address
any shortcomings identified during the grievance resolution process.
Procedure (Standard Operating Procedure)
Introduction:
This SOP outlines the procedures for handling customer grievances related to We operations in
India. Our goal is to provide timely and effective resolution of customer complaints while
maintaining high standards of professionalism, integrity, and customer service.
Customer Grievance Handling Process:
Receipt of Complaint: Customers can lodge complaints through various channels such as email,
phone, or our website. The customer service team will acknowledge the complaint and provide
a reference number for tracking purposes.Investigation: The customer service team will investigate the complaint to understand the
issue and gather relevant information. If necessary, the team will seek assistance from other
departments such as technical support, risk management, or compliance.Resolution: The customer service team will provide a resolution to the complaint within a
reasonable time frame. The resolution may involve corrective action such as refund,
chargeback, or other forms of compensation. The team will communicate the resolution to the
customer and seek their acceptance.Escalation: If the customer is not satisfied with the resolution, they can escalate the complaint
to the next level of management. The escalation process should be clearly communicated to
the customer, and their complaint should be handled with priority and urgency.Documentation: All complaints and their resolution should be documented in a complaint
register for tracking and analysis purposes. The customer service team should periodically
review the register and identify trends and areas for improvement.
Turn Around Time (TAT)
The Company will also have dedicated resources who will be responsible to ensure that all
complaints raised by the merchants are addressed and closed as per stipulated TAT. Typical, TAT
followed to resolve any queries/ complaints will be as follows;
Types of Queries | TAT |
Basic | Up to 12 working hours |
Complex | 12 to 18 working hours |
Tech related | 24 to 48 working hours |
Customer Redressal Mechanisms:
Customer Service: Customers can contact our customer service team through various channels
such as phone, email, or chat. The team should be well-trained and equipped to handle
customer queries and complaints in a professional and courteous manner.Nodal Officer: We have designated a nodal officer for grievance redressal as per the
regulations. The nodal officer will handle complaints that are not resolved satisfactorily by the
customer service team. The nodal officer's contact details should be prominently displayed on
our website and other communication channels.Ombudsman: Customers can also approach the ombudsman appointed by the regulatory
authority for redressal of grievances. We will cooperate with the ombudsman in resolving
complaints and provide all necessary information and assistance.
Escalation Matrix
Levels | Escalation | TAT |
Level-0 | Support Executive | 48 business hours |
Level-1 | Head Operations | 7 business days |
Level-2 | Nodal Officer | 21 business days |
Level-3 | Business Head | 30 business days |
Conclusion:
We are committed to providing our customers with a reliable and secure payment aggregator
service. Our customer grievance and redressal procedures are designed to ensure that customers
have a hassle-free experience and their complaints are resolved in a timely and effective manner.
All employees involved in customer service and complaint handling must familiarize themselves
with these procedures and comply with them at all times.