Introduction
This document is intended as a Policy Document to be followed at Phi Commerce for the following:
- Merchant identification and onboarding policy
This policy documents will be updated whenever there is a change in process initiated by Phi Commerce or based on notifications from the RBI.
Definitions:
- Merchants: Any Business which employs Phi Commerce service is referred to as “Merchant”.
- Processing Services: Services offered by the PayPhi Platform.
Merchant identification and onboarding policies
References
The policies framed here are based on Reserve Bank of India’s circular for guidelines on Regulation of Payment Aggregators and Payment Gateways. The guidelines are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007.
Customer/Merchant Identification Policy
Each prospect merchant engaged by Phi Commerce can be divided into 3 categories. These are as:
- Low risk merchant
- Medium risk merchant
- High risk merchant.
Phi Commerce shall normally engage with Merchants that fall under the Low risk and Medium risk category. Approvals by Chief Risk Officer will be required to engage and onboard a merchant from the high-risk category merchants.
The RBI guidelines on Regulation of Payment Aggregators and Payment Gateways and Master Direction – Know your Customer is referred for the definitions of above categories.
Merchant On-boarding Policy / Customer Acceptance Policy
- Phi Commerce will on-board merchants that are low risk and medium risk categories. Merchants outside these two categories will need approval for on-boarding from Chief Risk Officer. The RBI guidelines on Regulation of Payment Aggregators and Payment Gateways and Master Direction – Know your Customer is referred for document details. Merchant risk categorization is done based on Matrix defined in the Operations process.
- Phi Commerce will strive to offer its processing services to Merchants only after performing required KYC check and Due Diligence checks. The RBI guidelines on Regulation of Payment Aggregators and Payment Gateways and Master Direction – Know your Customer is referred for the verification processes. Any deviation will need to be authorized by Chief Risk Officer from Phi Commerce.
- Phi Commerce will not deny its processing services to Valid Merchants who are socially disadvantaged.
- Phi Commerce will collect documents for the purpose of KYC, from the Merchant which has to be on-boarded on the Phi Commerce Platform. The documents that are collected are for enabling Phi Commerce to undertake background and antecedent checks of the Merchants to ensure on a best effort basis that such merchants do not have any mala fide intentions of duping customers, selling fake / counterfeit prohibited products. The documents to be collected will be communicated to the Merchant and will depend on the constitution of the Merchant and can be broadly classified as:
- Mandatory Documents
- Optional Documents – These will be obtained post getting Merchant Consent. If the Merchant is submitting these documents, then it is a deemed consent.
- Besides other formalities like Purchase Order, Agreements etc., A Merchant can use PhiCommerce Services only after successfully completing the KYC process performed by Phi Commerce OR unless the Chief Risk Officer has approved.
- Phi Commerce will adhere to the RBI policy of list of banned businesses that fall under the banned list which is as follows, and not offer them its services.
- Adult goods and services which includes pornography and other sexually suggestive materials (including literature, imagery and other media); escort or prostitution services. Apparatus such as personal massagers/vibrators and sex toys and enhancements.
- Online sale of alcohol through website, which includes Alcohol or alcoholic beverages such as beer, liquor, wine, or champagne.
- Body parts, which includes organs or other body parts – live, cultured/preserved or from cadaver.
- Bulk marketing tools which include email lists, software, or other products enabling unsolicited email messages (spam).
- Cable TV descramblers and black boxes which includes devices intended to obtain cable and satellite signals for free.
- Child pornography in any form.
- Copyright unlocking devices which include Mod chips or other devices designed to circumvent copyright protection.
- Copyrighted media, which includes unauthorized copies of books, music, movies, and other licensed or protected materials.
- Copyrighted software which includes unauthorized copies of software, video games and other licensed or protected materials, including OEM or bundled software.
- Counterfeit and unauthorized goods which includes replicas or imitations of designer goods; items without a celebrity endorsement that would normally require such an association; fake autographs, counterfeit stamps, and other potentially unauthorized goods.
- Drugs and drug paraphernalia which includes illegal drugs and drug accessories, including herbal drugs including but not limited to salvia and magic mushrooms.
- Drug test circumvention aids which include drug cleansing shakes, urine test additives, and related items
- Endangered species, which includes plants, animals, or other organisms (including product derivatives) in danger of extinction.
- Gaming/gambling which includes lottery tickets, sports bets, memberships/ enrollment in online gambling sites, and related content.
- Government IDs or documents which includes fake IDs, passports, diplomas, and noble titles.
- Hacking and cracking materials which includes manuals, how-to guides, information, or equipment enabling illegal access to software, servers, websites, or other protected property.
- Illegal goods which include materials, products, or information promoting illegal goods or enabling illegal acts.
- Miracle cures which include unsubstantiated cures, remedies or other items marketed as quick health fixes.
- Offensive goods which include literature, products, or other materials that: a) Defame or slander any person or groups of people based on race, ethnicity, national origin, religion, sex, or other factors b) Encourage or incite violent acts c) Promote intolerance or hatred.
- Offensive goods, crime which includes crime scene photos or items, such as personal belongings, associated with criminals.
- Prescription drugs or herbal drugs or any kind of online pharmacies which includes drugs or other products requiring a prescription by a recognized and licensed medical practitioner in India or anywhere else.
- Pyrotechnic devices and hazardous materials which includes fireworks and related goods; toxic, flammable, and radioactive materials and substances.
- Regulated goods which includes air bags; batteries containing mercury; Freon or similar substances/refrigerants; chemical/industrial solvents; government uniforms; car titles; license plates; police badges and law enforcement equipment; lock-picking devices; pesticides; postage meters; recalled items; slot machines; surveillance equipment; goods regulated by government or other agency specifications.
- Online sale of tobacco and cigarettes through website which includes cigarettes, cigars, chewing tobacco, and related products.
- Traffic devices, which includes radar detectors/ jammers, license plate covers, traffic signal changers, and related products.
- Weapons, which includes firearms, ammunition, knives, brass knuckles, gun parts, and other armaments.
- Wholesale currency, which includes discounted currencies or crypto currencies, exchanges.
- Live animals or hides/skins/teeth, nails, and other parts etc of animals.
- Multi-Level Marketing schemes or Pyramid / Matrix sites or websites using a matrix scheme approach.
- Any intangible goods or services or aggregation/consolidation business.
- Work-at-home information
- Drop-shipped merchandise.
- Web-based telephony/ SMS/Text/Facsimile services or Calling Cards. Bandwidth or Data transfer/ allied services. Voice process /knowledge process services.
- Any product or service, which is not in compliance with all Applicable Laws and regulations of India.
Merchant On-boarding process
Merchants are on-boarded as per the following process:
Activity | Team |
Merchant sign-up/contract phase | |
1. Phi Commerce will solicit the Merchant and agree on the Scope of Service amongst other Terms like pricing and submit the same as part of a proposal. 2. On agreement by Merchant, Sales team share the contract along with Merchant Security Checklist. Sales team collect relevant documents (Sale and KYC Documents) in physical copies / scanned copies from the Merchant. These copies can either collected in Person or couriered to the Phi Commerce Head Office. Scanned copies of the KYC documents should be mailed to the designated email address onboarding@phicommerce.com 3. Physical copies of the forms and agreement needs to be couriered to the following address: Mr. Anil Sharma Phi Commerce Private Limited, Second Floor, Building Number 4, Commerzone, Samrat Ashok Path, Off Airport Road, Yerwada, Pune – 411 006 Maharashtra, India. 4. Merchant signs contract and provide compliance on Merchant security checklist. | Sales Team |
KYC and Risk Check | |
1. Risk team perform KYC checks. All mandatory documents applicable to type of the Merchant have to be provided by the Merchant. 2. In case of non-compliance on any items on Merchant security checklist or KYC failure Merchant is rejected | Risk Team |
Integration and Testing Phase | |
1. On successful KYC Integration Team is assigned to the Merchant. 2. The Project Manager sends the integration API Kit along with the Test MID to the Merchant and schedules an integration testing session after mutual discussion with the Merchant’s IT team. | Implementation Team |
Go-Live Phase | |
1. Once the testing is completed successfully, the Merchant is issued a Production MID and Login Credentials to the Merchant Dashboard are provided. This is subject to the following: a) Receipt of physical forms and agreement at Phi Commerce b) Successful completion of testing c) Successful updation of the T&C on the Merchant’s website | Implementation Team |
2. The Merchant is moved into Production and monitored for initial days | Transaction Monitoring Team |
3. Support helpdesk, support numbers, escalation matrix and chargeback process documents are published to the Merchant for day-to-day queries. | Support Team |
4. For all transactions processed, settlement is done into the Merchant’s nominated account and a settlement report is emailed. | Operations Team |
Note:
- KYC documents update and Security checklist compliance will be done on annual basis.
Merchant documentation
Following is a list of documents (mandatory and optional), which needs to be collected from the Merchant to establish Merchant Identity and KYC Checks.
Type of Merchant | List of documents to be collected |
Private Limited / Public Limited Company | General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. 2. Optional Documents: a. Purchase Order (Original, Date, Authorized signatory sign). KYC Documents: 1. Mandatory: a. Memorandum and Articles of Association b. Incorporation Certificate c. Company PAN / GST registration number d. A resolution from the Board of Directors and power of attorney granted to its managers, officers, or employees to transact on its behalf. Board Resolution to be signed by 2 Directors or the Company Secretary e. List of directors to be identified (For Pvt. Ltd. Only) f. Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card) |
Government Entity (Including Company/Corporation/Department) | General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account 2. Optional Documents: a. Purchase Order (Original, Date, Authorized signatory sign). KYC Documents: 1. Mandatory Documents: a. Memorandum and Articles of Association b. Incorporation Certificate c. Company PAN / GST registration number d. A resolution from the Board of Directors and power of attorney granted to its managers, officers, or employees to transact on its behalf. Board Resolution to be signed by 2 Directors or the Company Secretary f. Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card) |
Partnership | General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. 2. Optional Documents: a. Purchase Order (Original, Date, Authorized signatory sign). KYC Documents: 3. Mandatory: a. Registration Certificate b. Partnership Deed c. Company PAN / GST registration number d. Declaration of authorized signatory (On company letterhead signed by all partners) e. ID and Address Proof of all Partners (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card) |
Trust | General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. 2. Optional Documents: a. Purchase Order (Original, Date, Authorized signatory sign). KYC Documents: 3. Mandatory: a. Registration certificate b. Trust deed c. Permanent Account Number of the Trust d. Declaration of authorized signatory (On trust letterhead signed by all members) e. ID and Address Proof of all Partners/Trustees and Beneficial Owners (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card) |
Sole Proprietor | General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. 2. Optional Documents: a. Purchase Order (Original, Date, Authorized signatory sign). KYC Documents: 3. Mandatory: a. Proprietor PAN b. Proprietor Aadhaar c. GST registration number d. Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card) |
Merchant covenants
The Merchant needs to do the following:
- Undertake as part of the contract that merchant does not have any mala fide intention of duping the customer and does not sell Fake / Counterfeit / Prohibited products.
- The Merchant’s website / app shall clearly indicate the terms and conditions of the service.
- The Merchant’s website / app needs to clearly indicate timelines for processing refunds and returns.
- Undertake that the Merchant will not store any customer payment related data like Card#, Internet Banking Username etc. on their website / app.
- The Merchant shall protect customer’s personal data and report any incident of data breach / fraud committed.
- The Merchant will submit prescribed document and basis the documents submitted; the following checks will be usually carried out:
- Verification of documents against MCA (Ministry of Corporate Affairs) Website
- PAN verification
A Merchant can be declined when any one of the following becomes true:
- Incomplete documents
- Website is not up and running or is a beta site.
- Digital certificates are invalid on the website.
- Physical verification fails.
- Documents submitted are not in order and correct documents are not received even on request.
- Indicated ticket size of transactions is abnormally high.
- Transaction size does not match with the pricing of goods/services mentioned on the website.
- International card acceptance.
- Goods / Services sold are from the restricted list as per Government of India.
- Merchant falls in the restricted MCC list
An approval needs to be taken from Chief Risk Officer for approving the merchant in case any of the above is true.
Merchant Security Checklist
The Merchant Security Checklist is used to ensure that the merchant is adhering to the following guidelines while using the PhiCommerce application.
SL | Area | Details | Compliant (Yes/No) |
1 | Secure Communication | ||
Https protocol to be followed with Phi Commerce Systems. | |||
SSL certificate is properly setup with full CA Chains with recommended TLS version. e.g. 1.2 and above will keep upgraded as per payments schemes | |||
Subscribed to web security newsletter and follow industry standards | |||
2 | Data Security | ||
Customer personal information is stored securely. | |||
PCI certified (applicable if planning to capture card details) | |||
If yes, to be submitted to Phi Commerce every year. | |||
Quarterly vulnerability assessment | |||
4 | Access control | Admin/Support access to systems hosting the merchant application allowed only from defined networks. | |
In case web console access is available, password policies are in place and enforce timely change of passwords. | |||
Implementation of 2FA (Two-Factor authentication) as an extra layer of security for web console access. | |||
5 | Infrastructure & Systems Security | systems are up-to date with latest security patches and reviewed quarterly | |
Vulnerability analysis is quarterly done and actions are taken in timely manner by self or third party if managed by third party vendor. | |||
Antivirus installed and in active scan in all systems that access the data center servers, merchant application/web servers. | |||
Data backup policies are in place in line with business needs. |
Copyright Information
Copyright 2016. Phi Commerce Private Limited (“PhiCommerce”). All rights reserved.
No part of this document may be reproduced, stored in retrieval form, adopted or transmitted in any form or by any means, electronic, mechanical, photographic, graphic, optic or otherwise, translated in any language or computer language, without prior written permission from PhiCommerce.
Disclaimer
This document has been prepared in accordance with the accepted techniques for definition of solution specifications at PhiCommerce. The information represented herein, has been gathered after studying market trends and inputs supplied by expert consultants. The representations and related information contained in the document reflect PhiCommerce’ best understanding of the business. However, PhiCommerce makes no representation or warranties with respect to the contents hereof and shall not be responsible for any loss or damage caused to the user by the direct or indirect use of this document and the accompanying software package. Further, PhiCommerce reserves the right to alter, modify or otherwise change in any manner the content hereof, without the obligation to notify any person of such revision or changes.
Trademarks
PhiCommerce has made every effort to supply trademark information about company names, products, and services described in this document. All product and company names mentioned in this document may be trademarks or registered trademarks of their respective holders.
Contact
Phi Commerce Private Limited
Second Floor, Building No. 4, Commerzone, Samrat Ashok Path,
Off airport road, Yerwada
Pune 411 006
Maharashtra – India.
Publication Improvements Phi Commerce invites constructive comments on the contents of this document. Please send your comments to anil.sharma@phicommerce.com.