We build Next.js, Shopify, Laravel, Flutter, in Noida, India. Free 1-page audit, no obligation.
Get a free quote- The DPDP Act in 2026: A Practical Compliance Guide for Indian Websites and SaaSJuly 5, 2026
- From Excel to a CRM in 2026: When to Switch, and How to Move Without the ChaosJune 30, 2026
- What a Modern Sales CRM Should Do in 2026 (Inside BuildByRavi CRM)June 26, 2026
- Deploying a Web App to Production in 2026: Docker, CI/CD, and Zero-Downtime (Without the Overkill)June 24, 2026
- The two things you are actually choosing
- Gateway or aggregator: the distinction that trips people up
- UPI: the rail that changed everything
- Cards, netbanking, and wallets: the rest of the menu
- What it actually costs
- Recurring payments and autopay, the part everyone gets wrong
- Collecting from customers abroad
- The zero-MDR question everyone asks
- How we wire this up for clients
- A realistic checklist to go live
- Common questions about accepting payments in India
- Honest summary
How to Actually Accept Payments in India in 2026: UPI, Cards, Autopay, and What Each One Really Costs
Sooner or later, every business that sells anything online has to answer a boring but expensive question: how do we actually take the money? In India, that question has a stranger answer than almost anywhere else. We have a national instant-payment rail that is free to accept, a regulator that rewrote the rulebook for payment companies in 2025, recurring payments that do not work the way a founder coming from Stripe expects, and card rules that forbid you from storing a card number at all. Get the setup right and payments fade into the background. Get it wrong and you leak money on fees, fail half your subscription renewals, or sit on a compliance problem you did not know you had.
This is the practical version, written for founders who want to understand what they are paying for and for developers who have to wire it up. We will cover the options and what each one really costs, the difference between a payment gateway and an aggregator, how UPI and cards and autopay actually behave, how to collect from customers abroad, and a checklist to go live. One honest caveat first: payment rules in India change often, and this is practical guidance, not legal or financial advice. Where a number is likely to move, we say so. Most of this comes from wiring payments into client products in production rather than from reading circulars, though we have read our share of those too.
The two things you are actually choosing
It helps to separate two decisions that usually get muddled together. The first is who holds and settles your money, which is your payment aggregator, the company whose account collects from your customer and then pays out to your bank. The second is which payment methods you accept: UPI, credit and debit cards, netbanking, wallets, and so on. You pick one aggregator and, through it, switch on the methods you want. Almost every business gets both by signing up with a single provider like Razorpay, Cashfree, or PayU, so in practice the real decision is which aggregator, and the methods are just toggles you turn on.
Gateway or aggregator: the distinction that trips people up
People use 'payment gateway' as a catch-all, but the RBI draws a sharp line between two things. A payment gateway is pure technology: it routes and processes a transaction without ever touching the funds. A payment aggregator actually collects your customers' money into its own account and then settles it to you, which means it handles the float. Because it holds money, an aggregator has to be authorised by the RBI. A pure gateway does not.
As of 2026 the governing rulebook is the RBI (Regulation of Payment Aggregators) Directions, 2025, notified on 15 September 2025, which replaced the older 2020 guidelines and folded online, offline, and cross-border aggregators into one framework. The part that matters to you as a merchant is simple: an authorised aggregator must keep your collected funds in a segregated escrow account at a scheduled commercial bank, and can use that account only for settling payments. That escrow rule is the safeguard that stops a payment company from quietly spending your float. The good news is you do not need your own aggregator licence. That path involves a net worth of ₹15 crore rising to ₹25 crore and a serious compliance burden. You just need to pick an aggregator that already holds one.
UPI: the rail that changed everything
If you sell to Indian consumers, UPI is not optional. It is how most people pay, and for merchants the headline is remarkable: accepting a UPI payment is free. There is no merchant discount rate on UPI person-to-merchant payments, which we get into properly below.
Mechanically, you collect over UPI in a few ways, and your aggregator handles most of the plumbing. There is the QR code, static or dynamic, that a customer scans. There is the intent flow, where tapping a button on your checkout opens the customer's UPI app with the amount already filled in. And there are UPI deep links for sharing a payable link over WhatsApp or SMS. One change worth knowing if you build your own checkout: the older payer-facing 'collect' request, where the merchant pushes a request that pops up in the customer's app, is being phased out for most cases from early 2026 in favour of the intent and QR flows, which are faster and harder to abuse.
On limits: the standard UPI cap is ₹1 lakh per transaction for most payments. Certain verified merchant categories can go higher. Payments to hospitals and educational institutions were raised to ₹5 lakh back in December 2023, and from September 2025 the NPCI allowed verified merchants in a set of specific categories, such as capital markets, insurance, and travel, to accept up to ₹5 lakh per transaction as well. The exact per-category caps vary, and your bank or aggregator may set a lower internal limit, so if you sell high-value items, confirm the current limit for your own category rather than assuming ₹5 lakh.
Cards, netbanking, and wallets: the rest of the menu
UPI covers most consumer payments, but you will still want cards for higher-value purchases, corporate buyers, and anyone paying from abroad. Credit and debit cards, netbanking, and wallets all come as toggles on your aggregator. The one rule every developer needs to internalise here is about storing card details: you cannot. Since the RBI's card-on-file tokenisation mandate took effect on 1 October 2022, neither merchants nor aggregators may store a raw card number, CVV, or expiry date. What you store instead is a token, a meaningless stand-in that is unique to that card, that customer, and your business, generated with the cardholder's consent. In practice your aggregator does the tokenisation and you just keep the token. If you were ever tempted to save a card number in your own database to make repeat checkout smoother, do not. It is both against the rules and a security liability you never want to carry.
What it actually costs
Here is the part founders actually care about. The costs split cleanly by method:
- UPI and RuPay debit cards: zero. By law there is no merchant discount rate on these, so accepting them costs you nothing in transaction fees. This is the single biggest reason payments are cheaper to accept in India than almost anywhere.
- Credit cards: around 2%. Credit card MDR is not capped by the RBI and typically lands near 2% for domestic cards, negotiable once your volume is large.
- Debit cards other than RuPay: capped and small. The RBI caps debit card MDR at roughly 0.4% to 0.9% depending on merchant size, with a per-transaction rupee ceiling.
- Standard aggregator pricing: about 2% plus GST. Most aggregators quote a flat rate near 2% per successful transaction on domestic cards, netbanking, and wallets, with no setup fee and no annual maintenance on the standard plan. Add 18% GST on the fee itself, so an advertised 2% is closer to 2.36% all-in.
- International cards: up to 3%. Collecting from foreign cards costs more, commonly up to 3% plus GST.
Two things soften the fee. First, the 18% GST on your payment charges is generally claimable as input tax credit if your own sales are taxable, so for a GST-registered business the real cost is the fee, not the fee plus the tax. Second, because UPI is free and dominant, your blended cost of acceptance in India is usually far lower than a card-heavy business in the US or Europe would pay. On settlement, the money does not land instantly. The standard cycle is T+1, one banking day after the transaction, with cards often T+2, and most aggregators offer instant or same-day settlement for an extra fee. Under the 2025 Directions the aggregator holds your funds in escrow and settles on that cycle. If you invoice with GST, make sure your GST e-invoicing is wired to the actual settled amounts, not to the gross.
Recurring payments and autopay, the part everyone gets wrong
This is where founders coming from Stripe get surprised. In the US you save a card and quietly charge it every month. In India you cannot simply do that. Recurring payments run through the RBI's e-mandate framework, most commonly as UPI Autopay for consumers, and the rules are strict on purpose.
Setting up a mandate always requires the customer to authenticate once, with a UPI PIN or an OTP, the additional factor of authentication. After that, recurring debits run automatically, but only up to ₹15,000 per transaction without the customer re-authenticating each time. Above ₹15,000 the customer has to approve each debit. There is a higher no-authentication ceiling of ₹1 lakh for three specific categories: insurance premiums, mutual fund subscriptions, and credit card bill payments. On top of that, the bank must send the customer a pre-debit notification at least 24 hours before each charge, and the customer can cancel any single debit or the whole mandate. As of 2026 these rules sit inside the RBI's consolidated e-mandate framework, which pulled the older card, wallet, and UPI mandate circulars into one place, but the core numbers, ₹15,000, ₹1 lakh for the three categories, and the 24-hour notice, have been stable since 2023.
The practical upshot for a SaaS or subscription business: your billing has to be built around mandates and their limits, not around silently charging a card. You register a mandate, you handle the asynchronous confirmation and each debit through webhooks, and you reconcile carefully, which is exactly the kind of idempotent, callback-driven flow we wrote about in detail for Razorpay webhooks. If you are running a multi-tenant product, this billing logic usually lives in the same layer as the rest of your per-tenant billing.
Collecting from customers abroad
If you sell to customers outside India, whether that is a SaaS with global users or an exporter shipping goods, cross-border collection is its own regulated lane. It runs through the RBI's Payment Aggregator - Cross Border, or PA-CB, framework, first set out in a 2023 circular and now part of the 2025 Directions. Foreign currency lands in a dedicated export collection account and is converted and settled to you in rupees, with a per-transaction cap of ₹25 lakh.
The piece exporters miss is the paperwork that proves the money came in. For that you rely on a FIRC, or its digital form the FIRA, the foreign inward remittance certificate your bank issues, and the eBRC from the DGFT portal, which together prove that an export was realised. You need that proof for GST refunds on zero-rated exports and for any foreign-trade incentives. On providers, Razorpay, Cashfree, and PayU support international collection. PayPal shut its domestic India business back in 2021 and now works cross-border only, so it is an option for receiving from abroad but not for taking rupee payments at home. Stripe is worth flagging: it has been invite-only for new Indian businesses since around 2024, so do not assume you can just sign up. Verify its current status before you plan around it.
The zero-MDR question everyone asks
Founders often ask how UPI can possibly be free, and whether it will stay that way. The free part is law. Since 1 January 2020, merchant charges on UPI person-to-merchant payments and on RuPay debit cards have been prohibited, under provisions inserted into the Income-tax Act and the Payment and Settlement Systems Act. To offset the cost to banks, the government runs an incentive scheme for low-value UPI at small merchants.
Whether it stays free is a live debate. Through 2025 and into 2026, the payments industry pushed to bring back a small merchant fee on UPI for large merchants, arguing that free acceptance is not financially sustainable for the banks and networks that run the rail. The Finance Ministry publicly rejected reports of an imminent charge, and a parliamentary committee later suggested the government at least study a tiered model that would exempt small merchants and charge larger ones. As of mid-2026, nothing binding has changed: UPI remains free to accept. But this is the single most likely thing in this article to move, so if a lot of your margin depends on UPI staying free, keep an eye on it.
One genuine exception already exists. A RuPay credit card paid through UPI is a credit product, not a bank transfer, so it is not covered by the zero-MDR rule. Those transactions are free only up to ₹2,000, and above that they carry a merchant fee. It is a small slice of volume today, but worth knowing that your UPI acceptance is not uniformly free once credit-on-UPI is in the mix.
How we wire this up for clients
When we build payments into a product, the shape is almost always the same. We pick an aggregator based on the client's mix of UPI, cards, and international, integrate its APIs and SDKs, and put the real engineering effort into the parts that go wrong quietly. That means handling webhooks idempotently so a retried callback never double-credits an order, reconciling settled amounts against orders every day, and never storing a card number because the aggregator's token is all we keep. For subscriptions we build around e-mandates and their limits rather than fighting them. GST invoices are generated on the settled amount, and for exporters we make sure FIRC and eBRC are captured. Most of this lives on a Node.js backend where the webhook handling and reconciliation can be tested properly. None of it is exotic, but the difference between a payments integration that just works and one that quietly leaks money is entirely in these unglamorous details.
A realistic checklist to go live
If you are starting from zero, this is the order that works:
- Sign up with one aggregator and finish KYC. Pick Razorpay, Cashfree, or PayU based on your fees and the features you need. KYC and activation take a few days, so start early.
- Switch on UPI and cards first. UPI is free and covers most consumers, cards cover the rest. Add netbanking and wallets if your audience actually uses them.
- Build webhook handling and reconciliation. Treat every payment callback as something that might arrive twice or out of order, and reconcile settled money against your orders daily. This is the part that protects your revenue.
- Let the aggregator handle tokenisation. Never store raw card data. Keep only the token it gives you back.
- Wire GST invoicing to settled amounts. Invoice on what actually settled, not the gross, and claim input tax credit on your payment fees.
- If you bill recurring, set up e-mandates. Design around the ₹15,000 and ₹1 lakh limits and the 24-hour pre-debit notice, and process each debit through webhooks.
- If you sell abroad, add a cross-border provider. Use a PA-CB-enabled aggregator and capture FIRC and eBRC as your export proof.
- Test everything in sandbox first. Run success, failure, and retry cases before you take a single rupee live.
Common questions about accepting payments in India
Do I need my own payment aggregator licence to accept payments?
No. The RBI licence is for the company that holds and settles funds, which is your aggregator, not you. For virtually every business you sign up with an authorised aggregator like Razorpay, Cashfree, or PayU and use their licence and escrow setup. You would only need your own authorisation if you were building a platform that collects and settles money on behalf of other merchants, and that comes with a net worth requirement of ₹15 crore rising to ₹25 crore plus heavy compliance.
How much does it cost to accept online payments in India?
It depends on the method. UPI and RuPay debit cards are free by law. Credit cards run around 2%, and standard aggregator pricing is about 2% plus 18% GST on domestic transactions, with no setup or annual fee on most standard plans. International cards cost up to 3%. Because UPI is both free and the most-used method, most Indian businesses pay a much lower blended rate than a card-heavy business elsewhere would.
Can I charge a customer's card automatically every month like a US SaaS?
Not directly. India routes recurring payments through the RBI e-mandate framework, usually UPI Autopay. The customer authenticates once to set up the mandate, after which debits run automatically only up to ₹15,000 per transaction, or ₹1 lakh for insurance, mutual funds, and credit card bills, and the bank must notify them 24 hours before each charge. You build your billing around mandates, not around silently charging a saved card.
Is it true I cannot store customer card numbers?
Yes. Since October 2022 the RBI's tokenisation mandate forbids merchants and aggregators from storing raw card numbers, CVV, or expiry dates. Your aggregator replaces the card with a token that is useless to anyone else, and that token is all you keep. This is a good thing: it removes the single most dangerous piece of data from your servers.
How do I collect payments from customers outside India?
Through a cross-border aggregator under the RBI's PA-CB framework. Foreign currency settles to you in rupees, capped at ₹25 lakh per transaction, and you capture a FIRC or FIRA from your bank plus an eBRC from the DGFT portal as proof of the export, which you need for GST refunds and trade incentives. Razorpay, Cashfree, and PayU support this. PayPal works cross-border only, and Stripe has been invite-only for new Indian merchants, so check availability before planning around either.
Will UPI stay free for merchants?
As of mid-2026, yes, it is still free, and there is no notification changing that. But the industry has been pushing to reintroduce a small merchant fee on UPI for large merchants, and a parliamentary committee has suggested studying a tiered model. Nothing binding has happened yet, but this is the most likely rule in this space to change, so watch it if your margins lean heavily on free UPI.
Honest summary
Accepting payments in India comes down to a few clear ideas. You sign up with one authorised aggregator and switch on the methods you want, and you do not need your own licence. UPI is free and covers most consumers, cards cost around 2% and cannot be stored in raw form, and standard aggregator pricing is roughly 2% plus GST with settlement on a T+1 cycle. Recurring payments run through e-mandates with real limits and a 24-hour notice, so subscription billing has to be designed around them rather than bolted on. Selling abroad means a cross-border provider and some export paperwork. And the whole thing rewards boring engineering: idempotent webhooks, daily reconciliation, tokenised cards, and GST invoices on settled amounts. Get those right and payments become the part of your product you never have to think about again.
Setting up payments for a new product, or untangling a setup that is leaking money on fees or failing renewals? Message us on WhatsApp with what you are selling and who you are selling to, and we will tell you honestly which aggregator and which methods make sense, and what it will actually cost you.
We build payment flows into web and SaaS products the right way: the correct aggregator for your mix of UPI, cards, and international, webhooks handled idempotently so nothing double-charges, clean daily reconciliation, tokenised cards, e-mandates for subscriptions, and GST-ready invoicing on settled amounts. If you want payments that just work and do not quietly leak money, let us wire it up.
Talk to us about paymentsFounder of buildbyRaviRai, a freelance web development agency based in Noida, India. 5+ years shipping Next.js, WordPress, Shopify, and Laravel projects for clients in India, USA, Canada, and the UK.
Working with us in your city
Keep Reading
Google Ads vs Facebook Ads in India 2026: Which One Actually Makes Sense (and What It Really Costs)
Most wasted ad spend comes from using Google to do Facebook's job, or the other way around. Google captures demand that already exists; Meta creates demand among people who were not looking. This is the honest guide for Indian businesses: when each platform fits, real INR budgets and CPCs in 2026, the mistakes that quietly burn money, the setup that actually works, and whether you should run ads or SEO first.
GST E-Invoicing in India 2026: How IRN, the IRP API, and QR Codes Actually Work (A Developer's Guide)
E-invoicing is not 'generate a nicer PDF'. It is reporting each B2B invoice to a government portal (the IRP), getting back a signed IRN and QR code, and doing it inside the time limit. This is the developer-honest guide to how the IRP API works: the turnover threshold, the auth and encryption handshake, the invoice JSON schema, how the IRN is generated, the signed QR code, the 24-hour cancellation rule, and the mistakes that quietly break integrations.
Passkeys in 2026: How Passwordless Login Actually Works (and Why You Should Add It)
Passwords get reused, phished, and forgotten, and in India there is an extra tax: SMS OTP that costs money and fails on weak signal. Passkeys fix all of it. They are the passwordless standard built on WebAuthn, supported by every major browser and OS, and phishing-proof by design. This is the developer-honest guide to how passkeys actually work, what changes on your server, the gotchas, and when to add them.
REST API Design Best Practices 2026: How to Build APIs That Last
An API is a promise. Once a mobile app, a frontend, or a partner depends on yours, changing it is painful and breaking it is worse. The good news is that good API design is mostly a set of well-worn conventions, not genius. This is the practical guide to designing REST APIs in 2026: resource naming, using HTTP properly, versioning, auth, pagination, errors, idempotency, and the mistakes that haunt teams later.
Razorpay Webhooks Done Right (2026): Signature Verification, Idempotency, and Reconciliation
Most payment bugs are not in the checkout. They are in what happens after: a webhook verified on the wrong body, a retry that double-fulfills an order, or a payment that succeeds while the customer closes the tab and your database never hears about it. This is the developer-honest guide to handling Razorpay webhooks reliably, the source-of-truth mindset, signature verification on the raw body, idempotency, and reconciliation, so money never goes missing.