index Page

Introduction

This document outlines the Policy Document to be followed at QAX Tech (Qpay) for the following:

Merchant Identification and Onboarding Policy

This policy document will be updated whenever there is a change in the process initiated by Qpay or based on notifications from the Reserve Bank of India (RBI).

Definitions:

Merchants: Any business that employs Qpay’s services is referred to as a “Merchant.”
Processing Services: Services offered by the Qpay Platform.

Merchant Identification and Onboarding Policies

References

The policies framed here are based on the Reserve Bank of India’s circular for guidelines on the Regulation of Payment Aggregators and Payment Gateways. The guidelines are issued under Section 18, read with Section 10(2) of the Payment and Settlement Systems Act, 2007.

Customer/Merchant Identification Policy

Each prospective merchant engaged by Qpay can be divided into three categories:

Low-Risk Merchant
Medium-Risk Merchant
High-Risk Merchant

Qpay shall primarily engage with Merchants that fall under the Low-risk and Medium-risk categories. Approvals by the Chief Risk Officer will be required to engage and onboard a merchant from the high-risk category.

The RBI guidelines on the Regulation of Payment Aggregators and Payment Gateways and Master Direction – Know Your Customer are referred to for the definitions of the above categories.

Merchant Onboarding Policy / Customer Acceptance Policy

Qpay will onboard merchants that are in the low-risk and medium-risk categories. Merchants outside these two categories will need approval for onboarding from the Chief Risk Officer.
The RBI guidelines on the Regulation of Payment Aggregators and Payment Gateways and Master Direction – Know Your Customer are referred to for document details. Merchant risk categorization is done based on a matrix defined in the Operations process.
Qpay will strive to offer its processing services to Merchants only after performing the required KYC and Due Diligence checks. Any deviation will need to be authorized by the Chief Risk Officer from Qpay.
Qpay will not deny its processing services to valid Merchants who are socially disadvantaged.
Qpay will collect documents for the purpose of KYC from the Merchant that has to be onboarded on the Qpay Platform. The documents are collected to enable Qpay to undertake background and antecedent checks of the Merchants to ensure, on a best-effort basis, that such merchants do not have any malafide intentions of duping customers, selling fake/counterfeit prohibited products. The documents to be collected will be communicated to the Merchant and will depend on the constitution of the Merchant and can be broadly classified as:
Mandatory Documents
Optional Documents:These will be obtained after getting Merchant consent. If the Merchant submits these documents, then it is a deemed consent.
Besides other formalities like Purchase Orders, Agreements, etc., a Merchant can use Qpay Services only after successfully completing the KYC process performed by Qpay, unless the Chief Risk Officer has approved.
Adult goods and services, including pornography and other sexually suggestive materials (including literature, imagery, and other media); escort or prostitution services. Apparatus such as personal massagers/vibrators and sex toys and enhancements.
Online sale of alcohol through websites, which includes alcohol or alcoholic beverages such as beer, liquor, wine, or champagne.
Body parts, which includes organs or other body parts – live, cultured/preserved, or from cadaver.
Bulk marketing tools, which include email lists, software, or other products enabling unsolicited email messages (spam).
Cable TV descramblers and black boxes, which include devices intended to obtain cable and satellite signals for free.
Child pornography in any form.
Copyright unlocking devices, which include mod chips or other devices designed to circumvent copyright protection.
Copyrighted media, which includes unauthorized copies of books, music, movies, and other licensed or protected materials.
Copyrighted software, which includes unauthorized copies of software, video games, and other licensed or protected materials, including OEM or bundled software.
Counterfeit and unauthorized goods, which includes replicas or imitations of designer goods; items without a celebrity endorsement that would normally require such an association; fake autographs, counterfeit stamps, and other potentially unauthorized goods.
Drugs and drug paraphernalia, which includes illegal drugs and drug accessories, including herbal drugs like salvia and magic mushrooms.
Child pornography in any form.
Drug test circumvention aids, which include drug cleansing shakes, urine test additives, and related items.
Endangered species, which includes plants, animals, or other organisms (including product derivatives) in danger of extinction.
Gaming/gambling, which includes lottery tickets, sports bets, memberships/enrollment in online gambling sites, and related content.
Government IDs or documents, which includes fake IDs, passports, diplomas, and noble titles.
Hacking and cracking materials, which includes manuals, how-to guides, information, or equipment enabling illegal access to software, servers, websites, or other protected property.
Illegal goods, which includes materials, products, or information promoting illegal goods or enabling illegal acts.
Offensive goods, which include literature, products, or other materials that: a) Defame or slander any person or group based on race, ethnicity, national origin, religion, sex, or other factors. b) Encourage or incite violent acts. c) Promote intolerance or hatred.
Offensive goods, crime which includes crime scene photos or items, such as personal belongings, associated with criminals.
Prescription drugs or herbal drugs or any kind of online pharmacies, which includes drugs or other products requiring a prescription by a recognized and licensed medical practitioner in India or anywhere else.
Pyrotechnic devices and hazardous materials, which includes fireworks and related goods; toxic, flammable, and radioactive materials and substances.
Regulated goods, which includes air bags; batteries containing mercury; Freon or similar substances/refrigerants; chemical/industrial solvents; government uniforms; car titles; license plates; police badges and law enforcement equipment; lock-picking devices; pesticides; postage meters; recalled items; slot machines; surveillance equipment; goods regulated by government or other agency specifications.
Online sale of tobacco and cigarettes through websites, which includes cigarettes, cigars, chewing tobacco, and related products.
Traffic devices, which includes radar detectors/jammers, license plate covers, traffic signal changers, and related products.
Weapons, which includes firearms, ammunition, knives, brass knuckles, gun parts, and other armaments.
Wholesale currency, which includes discounted currencies or cryptocurrencies, exchanges.
Live animals or hides/skins/teeth, nails, and other parts, etc., of animals.
Multi-Level Marketing schemes or Pyramid/Matrix sites or websites using a matrix scheme approach.
Any intangible goods or services or aggregation/consolidation business.
Work-at-home information.
Drop-shipped merchandise.
Web-based telephony/SMS/Text/Facsimile services or Calling Cards. Bandwidth or Data transfer/allied services. Voice process/knowledge process services.
Any product or service, which is not in compliance with all Applicable Laws and regulations of India.

Merchant Onboarding Process

Merchants are onboarded as per the following process:

Activity	Team
Merchant Categories	1. Qpay will solicit the Merchant and agree on the Scope of Service among other Terms like pricing and submit the same as part of a proposal. 2. On agreement by Merchant, the Sales team shares the contract along with the Merchant Security Checklist. The sales team collects relevant documents (Sale and KYC Documents) in physical copies/scanned copies from the Merchant. These copies can either be collected in person or couriered to the Qpay Head Office. Scanned copies of the KYC documents should be mailed to the designated email address onboarding@queepay.com. 3. Physical copies of the forms and agreement need to be couriered to the following address:Mr. Ram,Qpay (QAX Tech Private Limited),H- 28, Ponvizha Nagar, Tirunelveli-6270 4. The merchant signs the contract and provides compliance on the Merchant security checklist.
KYC and Risk Check	1. The Risk team performs KYC checks. All mandatory documents applicable to the type of the Merchant have to be provided by the Merchant. 2. In case of non-compliance on any items on the Merchant security checklist or KYC failure, the Merchant is rejected.
Integration and Testing Phase	1. On successful KYC, the Integration Team is assigned to the Merchant. 2. The Project Manager sends the integration API Kit along with the Test MID to the Merchant and schedules an integration testing session after mutual discussion with the Merchant’s IT team.
Go-Live Phase	1. Once the testing is completed successfully, the Merchant is issued a Production MID and Login Credentials to the Merchant Dashboard are provided. This is subject to the following: a) Receipt of physical forms and agreement at Qpay. b) Successful completion of testing. c) Successful upd

ation of the T&C on the Merchant’s website. | Implementation Team |

| | 2. The Merchant is moved into Production and monitored for initial days. | Transaction Monitoring Team |

| | 3. Support helpdesk, support numbers, escalation matrix, and chargeback process documents are published to the Merchant for day-to-day queries. | Support Team |

| | 4. For all transactions processed, settlement is done into the Merchant’s nominated account and a settlement report is emailed. | Operations Team |

Note:

KYC documents update and Security checklist compliance will be done on an annual basis.

Merchant Documentation

The following is a list of documents (mandatory and optional), which need to be collected from the Merchant to establish Merchant Identity and KYC Checks.

Type of Merchant	List of Documents to be Collected
Private Limited / Public Limited Company	General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. KYC Documents: 1. Mandatory Documents: a. Memorandum and Articles of Association b. Incorporation Certificate c. Company PAN / GST registration number d. A resolution from the Board of Directors and power of attorney granted to its managers, officers, or employees to transact on its behalf. Board Resolution to be signed by 2 Directors or the Company Secretary. e. List of directors to be identified (For Pvt. Ltd. Only) f. Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)
Government Entity (Including Company/Corporation/Department)	General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. KYC Documents: 1. Mandatory Documents: a. Memorandum and Articles of Association b. Incorporation Certificate c. Company PAN / GST registration number d. A resolution from the Board of Directors and power of attorney granted to its managers, officers, or employees to transact on its behalf. Board Resolution to be signed by 2 Directors or the Company Secretary. e. List of directors to be identified (For Pvt. Ltd. Only) f. Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)
Partnership	General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. KYC Documents: 1. Mandatory Documents: a. Memorandum and Articles of Association b. Incorporation Certificate c. Company PAN / GST registration number d. Declaration of authorized signatory (On company letterhead signed by all partners) e. ID and Address Proof of all Partners (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)
Trust	General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. KYC Documents: 1. Mandatory Documents: a. Registration certificate b. Trust deed c. Permanent Account Number of the Trust d. Declaration of authorized signatory (On trust letterhead signed by all members) e. ID and Address Proof of all Partners/Trustees and Beneficial Owners (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)
Sole Proprietor	General Documents: 1. Mandatory Documents: a. Merchant Contract (Signed and stamped). b. Cancelled Cheque / Bank account details and IFSC code issued against the Bank Account. KYC Documents: 1. Mandatory Documents: a. Proprietor PAN b. Proprietor Aadhaar c. GST registration number d. Authorized signatory ID and Address Proof (Self Attested copy of PAN Card and Passport / Driving License / XML of Aadhaar Card)

Merchant Covenants

The Merchant needs to do the following:

Undertake as part of the contract that the merchant does not have any malafide intention of duping the customer and does not sell Fake/Counterfeit/Prohibited products.
The Merchant’s website/app shall clearly indicate the terms and conditions of the service.
The Merchant’s website/app needs to clearly indicate timelines for processing refunds and returns.
Undertake that the Merchant will not store any customer payment-related data like Card#, Internet Banking Username, etc., on their website/app.
The Merchant shall protect the customer’s personal data and report any incident of data breach/fraud committed.

The Merchant will submit prescribed documents, and based on the documents submitted, the following checks will usually be carried out:

Verification of documents against MCA (Ministry of Corporate Affairs) Website
PAN verification

A Merchant can be declined when any one of the following becomes true:

Incomplete documents
Website is not up and running or is a beta site.
Digital certificates are invalid on the website.
Physical verification fails.
Documents submitted are not in order, and correct documents are not received even on request.
Transaction size does not match with the pricing of goods/services mentioned on the website.
International card acceptance.
Goods/Services sold are from the restricted list as per the Government of India.
Merchant falls in the restricted MCC list.

Merchant Security Checklist

The Merchant Security Checklist is used to ensure that the merchant adheres to the following guidelines while using the Qpay application.

Sl	Area	Details
1	Secure Communication	Https protocol to be followed with Qpay Systems. SSL certificate is properly set up with full CA Chains with the recommended TLS version. e.g. 1.2 and above will keep upgraded as per payments schemes. Subscribed to web security newsletter and follow industry standards.
2	Data Security	Customer personal information is stored securely. PCI certified (applicable if planning to capture card details). If yes, to be submitted to Qpay every year. Quarterly vulnerability assessment.
3	Access Control	Admin/Support access to systems hosting the merchant application allowed only from defined networks. In case web console access is available, password policies are in place and enforce timely change of passwords. Implementation of 2FA (Two-Factor authentication) as an extra layer of security for web console access.
4	Infrastructure & Systems Security	Systems are up-to-date with the latest security patches and reviewed quarterly. Vulnerability analysis is done quarterly and actions are taken in a timely manner by self or third party if managed by third-party vendor. Antivirus installed and in active scan in all systems that access the data center servers, merchant application/web servers. Data backup policies are in place in line with business needs.

Copyright Information

No part of this document may be reproduced, stored in retrieval form, adopted, or transmitted in any form or by any means, electronic, mechanical, photographic, graphic, optic, or otherwise, translated into any language or computer language, without prior written permission from Qpay.

Disclaimer

This document has been prepared in accordance with the accepted techniques for the definition of solution specifications at Qpay. The information represented herein has been gathered after studying market trends and inputs

supplied by expert consultants. The representations and related information contained in the document reflect Qpay’s best understanding of the business. However, Qpay makes no representation or warranties with respect to the contents hereof and shall not be responsible for any loss or damage caused to the user by the direct or indirect use of this document and the accompanying software package. Further, Qpay reserves the right to alter, modify, or otherwise change in any manner the content hereof, without the obligation to notify any person of such revision or changes.

Trademarks

Qpay has made every effort to supply trademark information about company names, products, and services described in this document. All product and company names mentioned in this document may be trademarks or registered trademarks of their respective holders.

Contact

Qpay (QAX Tech Private Limited)

H- 28, Ponvizha Nagar, Tirunelveli-627007

India.

Publication Improvements

Qpay invites constructive comments on the contents of this document. Please send your comments to ram@queepay.com.

Please review and make any necessary adjustments to fit the specific practices and needs of Qpay.