Merchant Onboarding Policy

Introduction:

Phi Commerce has framed the Merchant Onboarding policy based on Reserve Bank of India’s (RBI) Master Direction – Know Your Customer (KYC) (DBR.AML.BC. No.81/14.01.001/2015-16) dated February 25, 2016 covering Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT)  and obligations under PMLA, 2002.

This policy aims to prevent the misuse of Phi Commerce’s platform intentionally or unintentionally, for money laundering or terrorist funding activities. KYC procedures will enable Phi Commerce to know and understand its Merchants comprehensively, facilitating prudent risk management.

The Merchant Onboarding policy comprises four key elements:

• Customer Acceptance 
• Customer Identification Procedures (CIP)
• Risk Management.
• Transaction Monitoring

Customer Acceptance:

• Phi Commerce will ensure that no merchant is onboarded with benami/ fictitious/ anonymous name.
• No such merchant is onboarded where Phi Commerce is unable to apply Customer Due diligence measures.
• No merchant shall be allowed to transact utilising Phi Commerce aggregator services without undertaking the prescribed due diligence procedures which include the Know Your customer details.
• Phi Commerce will use the Merchant Identification (MID) as the Unique Customer

Identification code. 

• Phi Commerce will not engage in any business relationship with merchants listed in the sanction lists circulated by the RBI and other relevant authorities.

Customer Identification:

• Phi Commerce will obtain the mandatory KYC documentation while onboarding the merchant and during periodic updates. (see Annexure I)
• Phi Commerce will screen merchants against sanctioned lists to ensure customer identities do not match individuals or entities on those lists.
• The identification documents like PAN, GST, Aadhaar shall be verified from the verification facility of the issuing authority.
• The merchant’s website will be comprehensively analyzed to confirm the inclusion of all required policies.
• If a bank refers a merchant with an active account at the same bank, Phi Commerce will follow clause 4.2 of RBI circular RBI/2020-21/117 dated 31st March 2021 for settlement

Risk Management:

• Phi Commerce will categorize merchants as low, medium and high based on risk assessment of the merchant.
• Risk categorization shall be undertaken based on submission of all required documents by the merchant, verification of documents, customer constitution, location of business, nature of business activity, chargeback risk, and other relevant parameters
• The risk categorization will be kept confidential and not revealed to the merchant.
• Phi Commerce will take all reasonable steps, as specified in sub-rule (3) of Rule 9 of the Prevention of Money-Laundering (Maintenance of Records) Rules, to verify the identity of the beneficial owner(s).
• Listed Entities will be exempted from this requirement as they are subject to stringent regulatory oversight and transparency requirements, reducing the risk of money laundering or terrorist financing.
• For trust, nominee, or fiduciary accounts, Phi Commerce will determine if the customer is acting on behalf of another person.
• Phi Commerce may conduct Contact Point Verification to ensure merchant authenticity
• Merchants are responsible for maintaining a secure website environment and will submit regular Security Checklist reports to confirm adherence (see Annexure II)
• Phi Commerce will not sign up Businesses that fall under the banned line of business. (see

Annexure III

Transaction Monitoring:

• Phi Commerce will undertake ongoing due diligence of merchants to ensure that their transactions are consistent with the merchant’s business and risk profile.
• Transactions which exceed the thresholds prescribed for specific categories of merchants shall be duly monitored.
• High-risk merchants undergo intensive monitoring. Merchant risk categorization is reviewed biannually

Periodic Updation of KYC:

Phi Commerce shall adopt a risk-based approach for periodic updation of KYC ensuring that merchant data held with them is kept up to date.

The frequency of updation of KYC shall be based on the risk category of the merchant as follows:

Risk Category	Update Frequency
High	2 years
Medium	8 years
Low	10 years

Merchants who fail to update KYC within the prescribed timeline will be subjected to restrictions of services.

Record Retention:

• KYC or Transaction data needs to be maintained for at least 10 years or as specified by regulator from time to time, from the date of cessation of transaction between the Merchant and Phi Commerce.
• All suspicious transactions must be preserved. The information that needs to be preserved contains the following:

• Nature of transaction
• Amount of transaction and currency
• Date of transaction
• Parties to the transaction
• Maintain records of the identity and address of the parties involved and records in respect of transactions in hard or soft copy.

Reporting Requirements to Financial Intelligence Unit-India:

• Phi Commerce reports all observed suspicious transactions in FIU Portal. Principal Officer ensures compliance, monitoring transactions, and sharing and reporting information as required under the law/regulations.
• The frequency of reporting to FIU will be aligned with regulatory expectations

Policy Review and Update:

• This policy will be reviewed annually, or if there are any changes or updates to the RBI guidelines, to ensure its continued relevance and effectiveness.
• The review process will be initiated by the Compliance Officer and approved by the Board.

Annexure I:

Merchant documentation

Following is a list of documents (mandatory and optional), which are to be collected from the Merchant to establish Merchant Identity.

Type of Merchant	List of documents to be collected
Private Limited / Public Limited Company	General Documents:
	1.	Mandatory Documents:
	a.	Merchant Contract (Signed and stamped).
	b.	Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account.
	2.	Optional Documents:
	a. Purchase Order (Original, Date, Authorized signatory sign).
	KYC Documents:
	1.	Mandatory:
	a.	Memorandum and Articles of Association
	b.	Incorporation Certificate
	c.	Company PAN / GST registration number
	d.	A resolution from the Board of Directors and power of attorney granted to its managers, officers, or employees to transact on its behalf. Board Resolution to be signed by 2 Directors or the Company Secretary
	e.	List of directors and Beneficial Owners to be identified (For Pvt. Ltd. Only)
	f.	Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)
Government Entity (Including Company/Corporation/Depart ment)	General Documents:
	1.	Mandatory Documents:
	a.	Merchant Contract (Signed and stamped).
	b.	Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account
	2.	Optional Documents:
	a. Purchase Order (Original, Date, Authorized signatory sign).
	KYC Documents:
	1.         Mandatory Documents:
	a. Memorandum and Articles of Association
	b. Incorporation Certificate
	c. Company PAN / GST registration number

	d. A resolution from the Board of Directors and power of attorney granted to its managers, officers, or employees to transact on its behalf. Board Resolution to be signed by 2 Directors or the Company Secretary.
	e. Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)
Partnership	General Documents:
	1.	Mandatory Documents:
	a.	Merchant Contract (Signed and stamped).
	b.	Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account.
	2.	Optional Documents:
	a. Purchase Order (Original, Date, Authorized signatory sign).
	KYC Documents:
	1.	Mandatory:
	a.	Registration Certificate
	b.	Partnership Deed
	c.	Company PAN / GST registration number
	d.	Declaration of authorized signatory (On company letterhead signed by all partners)
	e.	ID and Address Proof of all Partners (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)
Trust/ Association	General Documents:
	1.	Mandatory Documents:
	a.	Merchant Contract (Signed and stamped).
	b.	Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account.
	2.	Optional Documents:
	a.	Purchase Order (Original, Date, Authorized signatory sign)
	KYC Documents:
	3.	Mandatory:
	a.	Registration certificate
	b.	Trust deed
	c.	Permanent Account Number of the Trust
	d.	Declaration of authorized signatory (On trust letterhead signed by all members)
	e.	ID and Address Proof of all Partners/Trustees and Beneficial Owners (Self Attested copy of PAN Card and Passport / Driving License / XML of
	Aadhaar Card)
Sole Proprietor	General Documents:
	1.	Mandatory Documents:
	a.	Merchant Contract (Signed and stamped).
	b.	Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account.
	2.	Optional Documents:
	a.	Purchase Order (Original, Date, Authorized signatory sign).
	KYC Documents:
	3.	Mandatory:
	a.	Proprietor PAN
	b.	Proprietor Aadhaar and Udyam Aadhaar
	c.	GST registration number
	d.	Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)

Annexure II:

MERCHANT SECURITY CHECKLIST

The merchant security checklist is requested from merchants to ensure they adhere to best practices for protecting cardholder data and maintaining compliance with security standards.

Sr. No.	Compliance Area	Yes/No/NA	Remarks
	Before Installing a System
1.	Do you modify the vendor/OEM’s default settings before installing the system that integrates with the Phi Commerce Payment Gateway?
2.	Do you remove/ disable unnecessary default accounts before installation?
	System Security
3.	Do you install vendor/OEM provided security patches to protect your system components integrated with the Phi Commerce Payment Gateway from known vulnerabilities?
4.	Do you install critical security patches within one month of their release?
	User Access Management
5.	Is each user assigned a unique ID before they can access system components or cardholder data in your system?
6.	Do you immediately deactivate/remove access for any terminated user?
7.	Besides a unique ID, is one or more of the following methods used to authenticate users?  o         Password or passphrase o             Token device or smart card o             Biometric data
	Password Management
8.	Are user passwords configured to meet the following criteria?  o   Minimum length of seven characters o   Contains both numbers and letters o   Alternatively, passwords must have equivalent complexity and strength
	Account Management
9.	Are group, shared, or generic accounts prohibited as follows?  o    Generic user IDs and accounts are disabled or removed

	o   Shared user IDs for system administration and other critical functions do not exist o   Shared and generic user IDs are not used to administer any system components
	Media Security
10.	Do you securely store and protect all media (physical and digital) from unauthorised access?
11.	Do you classify media as per the sensitivity of the data and ensure strict controls over its distribution?
12.	Do you obtain management approval prior to distributing media and send media using secure trackable methods?
13.	Do you destroy media responsibly when no longer needed?
	Service Provider Management
14.	Do you maintain a list of service providers and services from whom you obtain service?
15.	Do you have a defined process for engaging service providers, including due diligence and agreements?
16.	Do you store card data? Do you have PCIDSS certification?
	Access Control
17.	Do you have access control—both logical and physical—managed for systems and applications that store card data? And how is it managed?
	Incident Response
18.	Is there an incident response plan in place to be implemented in the event of a system breach?
	Application Security
19.	Are all your applications run on HTTPS protocol?
20.	Is the SSL certificate properly set up with full CA Chains and recommended TLS version (e.g., 1.2 and above)?
21.	Are quarterly vulnerability assessments conducted?
22.	Has the encryption key been rotated in the past year?
	Endpoint Security
23.	Are all servers, endpoints, and applications protected using anti-malware security solutions?
24.	Is there a defined data backup and restoration policy, and are regular data backups/restoration tests conducted?
25.	Is data at rest and in transit encrypted? Specify the encryption used.
	Personnel Verification
26.	Are background verification checks performed for all personnel having access to the application and data?
	Security Reviews
27.	Is any third-party security review conducted?
28.	Are you certified for ISO27001 or SOC-2 certifications?
	Change Management
29.	Are any changes to the application or IT environment reviewed and approved by the security team as part of the change management process?

Glossary

1. Vendor-Supplied Defaults: These are the default settings or configurations provided by the vendor (Supplier / OEM) when a system or software is first installed. Changing these defaults is crucial for security.
2. Default Accounts: Pre-configured user accounts that come with a system or software. These should be removed or disabled to prevent unauthorized access.
3. Security Patches: Updates provided by software vendors to fix known vulnerabilities or security issues in their products. Installing these patches helps protect the system from attacks.
4. Critical Security Patches: Important updates that address severe security vulnerabilities. These should be installed promptly to ensure the system remains secure.
5. Unique ID: A distinct identifier assigned to each user to ensure that access to system components or data can be tracked and managed individually.
6. Authentication: The process of verifying the identity of a user. This can involve something the user knows (password), something they have (token or smart card), or something they are (biometric data).
7. Biometric: A method of authentication that uses unique physical characteristics of a person, such as fingerprints or facial recognition.
8. Group, Shared, or Generic Accounts: Accounts that are used by multiple users. These are discouraged because they make it difficult to track individual user actions.
9. Media: Any physical or electronic storage device that holds data, such as computers, USB drives, paper documents, etc.
10. PCI DSS: Payment Card Industry Data Security Standard. A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
11. HTTPS Protocol: Hypertext Transfer Protocol Secure. A secure version of HTTP, used to encrypt data transmitted between a user’s browser and a website.
12. SSL Certificate: Secure Sockets Layer certificate. A digital certificate that authenticates the identity of a website and encrypts information sent to the server.
13. TLS: Transport Layer Security. A protocol that ensures privacy between communicating applications and their users on the internet. TLS 1.2 and above are recommended for secure communications.
14. Vulnerability Assessment: A process of identifying, quantifying, and prioritizing vulnerabilities in a system. Conducting these assessments regularly helps in maintaining security.
15. 2FA (Two-Factor Authentication): An additional layer of security that requires not only a password and username but also something that only the user has on them, such as a token or a mobile device.
16. Anti-Malware Security Solutions: Software designed to detect, prevent, and remove malicious software (malware) from computers and networks.
17. Data Backup and Restoration Policy: Guidelines and procedures for regularly backing up data and restoring it in case of data loss or corruption.
18. Encryption: The process of converting data into a code to prevent unauthorized access. Data at rest (stored data) and data in transit (data being transmitted) should be encrypted.
19. Logical and Physical Access Control: Measures to control who can access systems and data (logical) and who can physically access hardware and storage devices (physical).
20. Background Verification Check: A process of verifying the background of personnel to ensure they are trustworthy and do not pose a security risk.
21. Third-Party Security Review: An independent assessment conducted by an external organization to evaluate the security measures in place.
22. ISO27001: An international standard for managing information security. Certification indicates that an organization follows best practices for information security management.
23. SOC-2: Service Organization Control 2. A certification that indicates an organization has controls in place to protect customer data, particularly in the areas of security, availability, processing integrity, confidentiality, and privacy.
24. Change Management Process: A structured approach to managing changes to systems and applications, ensuring that all changes are reviewed and approved to maintain security and stability.

Annexure III:

Phi Commerce will not sign up Businesses that fall under the banned list which is as follows:

1. Adult goods and services, which include pornography and other sexually suggestive materials (including literature, imagery and other media); escort or prostitution services. Apparatus such as personal massagers/vibrators and sex toys and enhancements.
2. Online alcohol sale through website, which includes Alcohol or alcoholic beverages such as beer, liquor, wine, or champagne
3. Body parts, which includes organs or other body parts – live, cultured/preserved or from cadaver.
4. Bulk marketing tools which include email lists, software, or other products enabling unsolicited email messages (spam)
5. Cable TV descramblers and black boxes which includes devices intended to obtain cable and satellite signals for free
6. Child pornography in any form.
7. Copyright unlocking devices which include Mod chips or other devices designed to circumvent copyright protection
8. Copyright media, which includes unauthorized copies of books, music, movies, and other licensed or protected materials
9. Copyrighted software which includes unauthorized copies of software, video games and other licensed or protected materials, including OEM or bundled software
10. Counterfeit and unauthorized goods which include replicas or imitations of designer goods; items without celebrity endorsement that would normally require such an association; fake autographs, counterfeit stamps, and other potentially unauthorized goods
11. Drugs and drug paraphernalia which includes illegal drugs and drug accessories, including herbal drugs including but not limited to salvia and magic mushrooms
12. Drug test circumvention aids which include drug cleansing shakes, urine test additives, and related items
13. Endangered species, which include plants, animals or other organisms (including product derivatives) which are in danger of extinction.
14. Gaming/gambling which includes lottery tickets, sports bets, memberships/ enrollment in online gambling sites, and related content.
15. Government IDs or documents which include fake IDs, passports, diplomas, and noble titles
16. Hacking and cracking materials which include manuals, how-to guides, information, or equipment enabling illegal access to software, servers, websites, or other protected property
17. Illegal goods which include materials, products, or information promoting illegal goods or enabling illegal acts
18. Miracle cures which include unsubstantiated cures, remedies or other items marketed as quick health fixes
19. Offensive goods which include literature, products or other materials that: a) Defame or slander any person or groups of people based on race, ethnicity, national origin, religion, sex, or other factors b) Encourage or incite violent acts c) Promote intolerance or hatred.
20. Offensive goods, crime which includes crime scene photos or items, such as personal belongings, associated with criminals
21. Prescription drugs or herbal drugs or any kind of online pharmacies which includes drugs or other products requiring a prescription by a recognized and licensed medical practitioner in India or anywhere else.
22. Pyrotechnic devices and hazardous materials which include fireworks and related goods; toxic, flammable, and radioactive materials and substances
23. Regulated goods which include air bags; batteries containing mercury; Freon or similar substances/refrigerants; chemical/industrial solvents; government uniforms; car titles; license plates; police badges and law enforcement equipment; lock-picking devices; pesticides; postage meters; slot machines; surveillance equipment; goods regulated by government or other agency specifications
24. Online sale of tobacco and cigarettes through website which includes cigarettes, cigars, chewing tobacco, and related products
25. Traffic devices, which include radar detectors/ jammers, license plate covers, traffic signal changers, and related products
26. Weapons or firearms, ammunition, knives, brass knuckles, gun parts, and other armaments
27. Wholesale currency, which includes discounted currencies or crypto currencies, exchanges
28. Live animals or hides/skins/teeth, nails and other parts etc. of animals.
29. Multi-Level Marketing schemes or Pyramid / Matrix sites or websites using a matrix scheme approach
30. Any intangible goods or services or aggregation/consolidation business.
31. Work-at-home information ff. Drop-shipped merchandise
32. Web-based telephony/ SMS/Text/Facsimile services or Calling Cards. Bandwidth or Data transfer/ allied services. Voice process /knowledge process services.
33. Any product or service, which is not in compliance with all Applicable Laws and regulations of India.