Skip to content
Ubikon Technologies
Back to Blog
๐Ÿ’ฐ
Fintech
7 min read
March 27, 2026

Building Secure Payment Gateways in India: Developer Guide 2026

How to build and integrate secure payment gateways in India. UPI, Razorpay, PhonePe, PCI DSS compliance, and payment security best practices.

UT

Ubikon Team

Fintech Development Experts

Building secure payment gateways in India involves integrating payment processing capabilities โ€” UPI, cards, net banking, wallets, and EMI โ€” into applications while maintaining PCI DSS compliance, RBI data localization requirements, and robust fraud prevention mechanisms. At Ubikon, we have built payment integrations for fintech startups, e-commerce platforms, and SaaS products processing crores in monthly transactions across India.

Key Takeaways

  • UPI processes 14 billion+ transactions monthly in India โ€” it is the non-negotiable payment method for any Indian application
  • PCI DSS compliance is mandatory for storing card data; using tokenized payment gateways (Razorpay, Stripe) eliminates most compliance burden
  • RBI mandates data localization โ€” payment data must be stored on servers within India
  • Payment integration costs INR 1โ€“5 lakh depending on the number of payment methods and complexity of reconciliation
  • Fraud prevention must be built from day one โ€” 3D Secure, velocity checks, and device fingerprinting are essential

India Payment Landscape 2026

Payment Method Market Share

<table> <thead> <tr> <th>Method</th> <th>Market Share</th> <th>Avg. Transaction</th> <th>Settlement Time</th> </tr> </thead> <tbody> <tr> <td>UPI</td> <td>65%</td> <td>INR 1,500</td> <td>Instant</td> </tr> <tr> <td>Cards (Debit/Credit)</td> <td>15%</td> <td>INR 5,000</td> <td>T+1 to T+3</td> </tr> <tr> <td>Net Banking</td> <td>8%</td> <td>INR 10,000</td> <td>T+1 to T+3</td> </tr> <tr> <td>Wallets</td> <td>5%</td> <td>INR 800</td> <td>T+1</td> </tr> <tr> <td>EMI / BNPL</td> <td>4%</td> <td>INR 15,000</td> <td>T+3 to T+7</td> </tr> <tr> <td>Cash on Delivery</td> <td>3%</td> <td>INR 2,000</td> <td>On delivery</td> </tr> </tbody> </table>

Payment Gateway Providers Comparison

<table> <thead> <tr> <th>Provider</th> <th>UPI Fee</th> <th>Card Fee</th> <th>Settlement</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td>Razorpay</td> <td>0% (under INR 2K)</td> <td>2%</td> <td>T+2</td> <td>Startups, SaaS, e-commerce</td> </tr> <tr> <td>PhonePe (PG)</td> <td>0%</td> <td>1.95%</td> <td>T+1</td> <td>UPI-heavy businesses</td> </tr> <tr> <td>Cashfree</td> <td>0%</td> <td>1.95%</td> <td>T+1</td> <td>Marketplaces, payouts</td> </tr> <tr> <td>PayU</td> <td>0%</td> <td>2%</td> <td>T+2</td> <td>Enterprise, large merchants</td> </tr> <tr> <td>Stripe (India)</td> <td>2%</td> <td>2%</td> <td>T+2</td> <td>Global SaaS, subscriptions</td> </tr> </tbody> </table>

Implementation Architecture

Basic Payment Flow

  1. Customer selects items and proceeds to checkout
  2. Your server creates a payment order via gateway API
  3. Customer is redirected to payment page (or sees inline widget)
  4. Customer completes payment (UPI, card, etc.)
  5. Gateway sends webhook to your server confirming payment
  6. Your server verifies the webhook signature and updates order status
  7. Customer sees confirmation page

Secure Architecture Pattern

Customer Browser
    โ†“ (HTTPS)
Your Frontend (Next.js)
    โ†“ (API call)
Your Backend (Express/Node.js)
    โ†“ (Server-to-server API)
Payment Gateway (Razorpay/PhonePe)
    โ†“ (Webhook callback)
Your Backend โ†’ Update DB โ†’ Notify Customer

Critical rule: Never pass payment amounts from the frontend. Always calculate totals on the server and send them to the payment gateway from the backend. The frontend should only send cart item IDs.

Security Best Practices

PCI DSS Compliance

If you use a hosted payment page (Razorpay Checkout, Stripe Elements), you fall under PCI DSS SAQ-A โ€” the lightest compliance level. Never build your own card form unless you are prepared for full PCI DSS Level 1 compliance.

Webhook Signature Verification

Always verify that webhooks come from your payment gateway. Every major gateway signs webhooks with HMAC-SHA256.

// Razorpay webhook verification pattern
const expectedSignature = crypto
  .createHmac('sha256', webhookSecret)
  .update(requestBody)
  .digest('hex');

if (expectedSignature !== receivedSignature) {
  throw new Error('Invalid webhook signature');
}

Idempotency

Payment operations must be idempotent. If a webhook is delivered twice (which happens), processing it twice must not charge the customer twice or create duplicate orders.

  • Use the payment gateway's unique payment ID as your idempotency key
  • Check if the payment has already been processed before updating your database
  • Use database transactions to ensure atomicity

Data Localization (RBI Mandate)

  • Store all payment data on servers within India
  • Use Indian cloud regions (AWS Mumbai, Azure Pune, GCP Mumbai)
  • Do not replicate payment data to overseas regions
  • Maintain audit logs of data access

Fraud Prevention

  • 3D Secure (3DS) โ€” mandatory for card payments in India, adds OTP verification
  • Velocity checks โ€” limit transactions per IP, per device, per card in a time window
  • Device fingerprinting โ€” identify suspicious devices across sessions
  • Amount anomaly detection โ€” flag transactions significantly above customer's average
  • BIN-based risk scoring โ€” identify high-risk card issuers

Subscription Billing Implementation

For SaaS products, subscription billing requires additional complexity:

  1. Plan management โ€” create and manage pricing plans
  2. Trial handling โ€” free trials with automatic conversion
  3. Proration โ€” calculate charges when upgrading/downgrading mid-cycle
  4. Dunning โ€” retry failed payments with increasing intervals
  5. Invoice generation โ€” GST-compliant invoices for each billing cycle

Razorpay Subscriptions and Stripe Billing handle most of this automatically. For custom billing logic, Ubikon builds tailored subscription engines.

Testing Payment Integrations

  • Use sandbox/test mode for all development โ€” every gateway provides test credentials
  • Test every payment method โ€” UPI, card (success, failure, pending), net banking
  • Test webhook delivery โ€” use tools like ngrok for local development
  • Test failure scenarios โ€” insufficient funds, expired cards, timeout, duplicate payments
  • Test refund flows โ€” partial refund, full refund, refund to different method
  • Load test payment endpoints โ€” ensure your server handles payment spikes (sale events, Diwali)

Common Payment Integration Mistakes

  1. Trusting frontend amounts โ€” always calculate totals on the server
  2. Not verifying webhooks โ€” leaving your system open to spoofed payment confirmations
  3. Missing idempotency โ€” duplicate charges from retry webhooks
  4. No reconciliation โ€” not matching gateway settlements with your records daily
  5. Hardcoding gateway credentials โ€” use environment variables, never commit secrets

How Ubikon Builds Payment Systems

Ubikon has built payment integrations processing INR 50Cr+ monthly. We handle Razorpay, PhonePe, Cashfree, and Stripe integrations with proper webhook handling, reconciliation pipelines, and GST-compliant invoicing.

Book a free consultation to discuss your payment integration needs.

Frequently Asked Questions

How much does payment gateway integration cost in India?

Basic UPI + card integration with Razorpay costs INR 1โ€“2 lakh for development. Adding subscription billing, split payments (for marketplaces), and automated reconciliation brings the cost to INR 3โ€“5 lakh. There are no setup fees from most gateways โ€” they charge per-transaction fees only.

Which payment gateway is best for startups in India?

Razorpay is the most popular choice for Indian startups due to its developer-friendly API, comprehensive documentation, quick onboarding, and support for all payment methods. PhonePe PG is a strong alternative for UPI-heavy businesses with lower settlement times.

Is PCI DSS compliance mandatory for my website?

If you accept card payments, yes. However, using a hosted payment page (Razorpay Checkout, Stripe Elements) means card data never touches your server, and you only need SAQ-A compliance โ€” the simplest level. This is what 95% of businesses should do. Building your own card form requires SAQ-D compliance, which is expensive and complex.

How do I handle payment failures and retries?

Implement a webhook-based architecture: (1) create a payment order, (2) redirect customer to payment page, (3) wait for webhook confirmation, (4) if webhook shows failure, allow customer to retry with a new payment attempt against the same order. Never auto-retry card payments without customer consent โ€” this violates RBI guidelines.

Can I accept international payments in India?

Yes. Razorpay and Stripe support international cards and PayPal. You need to enable international payments in your gateway dashboard and comply with FEMA regulations for receiving foreign currency. Export of services invoicing must include proper FIRC documentation. Stripe is generally the best choice for SaaS products with both Indian and international customers.

payment gatewayUPIRazorpayPCI DSSfintech Indiapayment security

Ready to start building?

Get a free proposal for your project in 24 hours.

Get Free ProposalEstimate Cost

Related Articles

๐Ÿ”—

Complete Guide to API Integration for Business in 2026

7 min read
๐Ÿ’ณ

How to Build a FinTech App in 2026: Architecture, Compliance, and Cost

7 min read
๐Ÿข

Real Estate App Development Guide: Features, Cost & Tech Stack

3 min read