Is PCI DSS mandatory in India?

Yes. RBI Payment Aggregator Guidelines require all RBI-licensed payment aggregators to comply with PCI DSS and submit annual Attestation of Compliance. NPCI mandates PCI DSS for UPI/IMPS/NACH participants. Visa and Mastercard acquirer mandates require PCI DSS compliance for all Indian merchants above Level 4.

What PCI DSS services are available for Indian companies?

PCI DSS services for India include gap assessment (from ₹1,80,000), quarterly ASV scanning (from ₹1,00,000/year), SAQ completion support (from ₹75,000), and full QSA audit support for Level 1 RoC (from ₹12,00,000). All services are delivered remotely with INR pricing and GST-compliant invoices.

Which Indian payment companies need PCI DSS Level 1?

Level 1 PCI DSS (requiring a full QSA Report on Compliance) is required for Indian merchants processing more than 6 million card transactions per year, all RBI-licensed payment aggregators, and third-party service providers handling cardholder data on behalf of multiple merchants. Banks and NBFCs with card processing operations also require Level 1 compliance.

How does the DPDP Act 2023 interact with PCI DSS for Indian companies?

PCI DSS compliance substantially satisfies DPDP Act data security obligations (Section 8) for cardholder data. However, DPDP additionally requires Data Fiduciary registration, a Data Protection Officer, and breach notification mechanisms within prescribed timelines. eShield IT addresses both frameworks in a single engagement for Indian clients.

PCI DSS Compliance Services India 2026 — RBI, NPCI, Visa & Mastercard Requirements

Quick Answer: PCI DSS compliance services in India cover gap assessment (₹1,80,000–₹4,00,000), quarterly ASV scanning (₹1,00,000–₹2,00,000/year), SAQ completion support, and QSA audit support for Level 1 RoC. PCI DSS is mandatory in India under RBI Payment Aggregator Guidelines, NPCI requirements for UPI/IMPS participants, and Visa/Mastercard acquirer mandates. eShield IT delivers all services remotely with INR pricing, GST-compliant invoices, and outputs formatted for RBI and acquiring bank submissions.

Quick answer: PCI DSS compliance services in India include gap assessment (identifying gaps against v4.0 requirements), quarterly ASV scanning (mandatory external vulnerability scans), SAQ completion support, and QSA audit preparation. In India, PCI DSS is mandated by the RBI for payment aggregators, by NPCI for UPI/IMPS network participants, and by Visa and Mastercard for merchants above Level 3. Typical cost: ₹1,80,000–₹4,00,000 for gap assessment; ₹1,00,000–₹2,00,000/year for ASV scanning; ₹12,00,000–₹40,00,000 for full RoC support.

PCI DSS Compliance in India: The Regulatory Landscape 2026

PCI DSS compliance in India is driven by a combination of international card scheme mandates and domestic regulatory requirements that have significantly expanded in the past three years. Understanding both dimensions is essential — organisations that focus only on the PCI SSC standard without addressing India-specific obligations risk both compliance failures and regulatory penalties.

RBI Payment Aggregator Guidelines

The Reserve Bank of India issued the Payment Aggregator and Payment Gateway Guidelines in March 2020, with subsequent updates in 2021 and 2023. For any entity seeking or maintaining an RBI payment aggregator licence, PCI DSS compliance is a mandatory prerequisite. Specifically:

Payment aggregators must comply with PCI DSS and submit their Attestation of Compliance (AoC) to RBI annually
New applicants for PA licences must demonstrate PCI DSS compliance (or a concrete timeline to achieve it) as part of the licensing application
Payment gateways providing services to RBI-licensed PAs must also maintain PCI DSS compliance as a service provider
RBI can conduct or commission independent security assessments of licensed PAs at any time

NPCI Requirements: UPI, NACH, and IMPS

The National Payments Corporation of India (NPCI) requires all entities participating in its payment systems — including UPI, NACH, IMPS, RuPay, and FASTag — to comply with applicable PCI DSS requirements for any cardholder data they handle. NPCI’s Technical Security Requirements mandate quarterly vulnerability scanning and annual penetration testing for network participants, requirements that map directly to PCI DSS Requirements 11.3 and 11.4.

Visa and Mastercard India Acquirer Mandates

Visa and Mastercard enforce PCI DSS compliance through their acquiring banks in India. Indian acquiring banks (SBI, HDFC, ICICI, Axis, etc.) are required to ensure their merchants comply with PCI DSS at the appropriate level. Acquirer compliance requirements by merchant level:

Indian Merchant Level	Annual Transactions	PCI DSS Requirement	Submission to Acquirer
Level 1	>6 million per year	Annual RoC by QSA + quarterly ASV scans	Attestation of Compliance (AoC) + scan reports
Level 2	1–6 million per year	Annual SAQ + quarterly ASV scans	Completed SAQ + scan reports
Level 3	20,000–1 million e-comm	Annual SAQ + quarterly ASV scans	Completed SAQ + scan reports
Level 4	<20,000 e-comm or <1M total	Annual SAQ (acquirer may waive ASV)	Completed SAQ

DPDP Act 2023: Intersection with PCI DSS

The Digital Personal Data Protection Act 2023 creates new obligations for Indian organisations processing personal data — including cardholder data, which constitutes personal data under the Act. PCI DSS compliance substantially satisfies DPDP Act obligations around data security (Section 8), but two areas require additional attention:

Data Fiduciary obligations: Cardholder data processors must appoint a Data Protection Officer and implement a data breach notification mechanism — functions not explicitly covered by PCI DSS but easily implemented alongside a PCI DSS programme
Data localisation: Certain categories of sensitive financial data may be subject to localisation requirements under forthcoming DPDP Rules — this affects cloud architecture decisions that also impact PCI DSS scoping

Our India PCI DSS engagements explicitly address DPDP Act alignment as part of the scope, avoiding the cost of two separate compliance programmes.

Our PCI DSS Services for India

PCI DSS Gap Assessment

Remote gap assessment covering all 12 PCI DSS v4.0 requirements. Deliverables accepted by RBI and acquiring banks for regulatory submissions.

From ₹1,80,000 fixed-price

Quarterly ASV Scanning

PCI SSC-compliant quarterly external vulnerability scans. Passing reports formatted for acquirer submission. Unlimited rescans included.

From ₹1,00,000/year

SAQ Completion Support

End-to-end SAQ completion support — SAQ type selection, evidence compilation, control documentation, and acquirer submission.

From ₹75,000 fixed-price

QSA Audit Support (RoC)

ISA-qualified consultants embedded with your team to prepare evidence, coordinate QSA interviews, and resolve findings for Level 1 RoC submissions.

From ₹12,00,000

PCI DSS for Indian Fintech, E-commerce, and Banking

Fintech Companies (Payment Aggregators, BNPL, Wallets)

Indian fintech companies processing card payments — including payment aggregators, BNPL providers, digital wallets, and payment gateways — face the most complex PCI DSS requirements. Full cardholder data environments, multi-tenant cloud infrastructure, and rapid product iteration create significant compliance challenges. Our fintech PCI DSS engagements include cloud architecture review (AWS, GCP, Azure scope reduction), API security assessment, and tokenisation advisory to minimise CDE scope before the formal gap assessment begins.

E-commerce Merchants (SAQ A-EP and C)

Indian e-commerce merchants using payment gateways like Razorpay, PayU, CCAvenue, or Stripe typically fall under SAQ A-EP (if using redirect/iframe payment pages) or SAQ C (if using a payment application with internet connectivity). Our e-commerce PCI DSS service includes payment page security review, CSP and script inventory assessment (covering new Requirement 6.4.3), quarterly ASV scans, and SAQ completion — the full compliance package for a fixed annual fee.

Banks and NBFCs

Indian banks, cooperative banks, and NBFCs with card-issuing or card-processing operations require Level 1 PCI DSS compliance — a full Report on Compliance by a Qualified Security Assessor (QSA). Our banking PCI DSS engagements typically begin with a two-phase approach: a gap assessment and remediation programme (6–12 months), followed by QSA coordination for the formal RoC. We work with all major Indian QSA firms and can recommend the right QSA partner based on your bank’s size and profile.

Why Indian Companies Choose eShield IT for PCI DSS

RBI and NPCI compliance context: We understand Indian regulatory requirements and produce deliverables formatted for RBI, acquirer, and NPCI submissions — not generic reports that require translation into Indian compliance language
Remote delivery: All PCI DSS gap assessments, SAQ support, and ASV scanning are delivered fully remotely. No travel costs, no delays waiting for on-site slots
INR pricing: All services are priced and invoiced in INR with GST-compliant invoices. No currency conversion risk or international wire complexity
v4.0 expertise: We have assessed organisations against PCI DSS v4.0 since its publication. The 64 newly mandatory requirements are our standard checklist, not an afterthought
DPDP Act alignment: Our India engagements explicitly address DPDP Act obligations alongside PCI DSS — one engagement covers both frameworks
Certified practitioners: All assessors hold ISA (Internal Security Assessor) or equivalent credentials; our lead holds OSCP, CEH, CISSP, and ISO 27001 Lead Auditor

Start Your PCI DSS Compliance Programme in India

Tell us your merchant level, regulatory deadline (RBI, acquirer, or card scheme), and number of CDE systems. We will send an INR-priced proposal within one business day.

Get a PCI DSS India Proposal