FAQ

Introduction

What is LotusPay?

LotusPay is the recurring payments solution for businesses and organisations in India. We enable our merchant clients to quickly and easily collect recurring payments online from their customers. We do this via NACH Debit physical mandates and eMandates (eNACH).

How do I learn more about the product?

Visit our Support section to learn more. It has comprehensive information for you and your customer.

Can I test it out before going live?

If you're qualified for the Pro plan, you can request a sandbox test account. Please contact us for more details.

What is NACH Debit?

NACH Debit enables businesses to collect recurring payments directly from their customers' bank accounts. This is done by asking customers to authorise mandates for direct debit. NACH Debit has replaced ECS Debit. NACH Debit is a payment system of the National Payments Corporation of India (NPCI) and is regulated by the Reserve Bank of India under the Payment and Settlement Systems Act 2007.

What is 'eNACH'?

eNACH refers to NACH Debit eMandates - paperless mandates. There are two types of eMandate:
API eMandate - authorised via net-banking or debit card.
eSign eMandate - authorised via Aadhaar eSign.

How can I use LotusPay?

We have two plans:
- Standard: A straight-forward payment gateway solution for getting started instantly with API eMandate.
- Pro: For advanced requirements such as working with physical mandate, eSign eMandate, your own sponsor bank and your own utility code.
If you're not sure about how NACH Debit works, it's safe to go with Standard: We take care of everything and you just need a bank account to be paid out to.

Who can use LotusPay?

Anyone that wants to take recurring payments directly from their customers' bank accounts in India can use LotusPay.

Is there setup, maintenance or monthly fee?

In the Standard plan there is no monthly fee. We charge a fixed fee per mandate and a fixed fee per transaction.

In the Pro plan there is a no monthly fee. We charge a fixed fee per mandate and a fixed fee per transaction. There is a minimum billing commitment or setup fee.

There are no maintenance fees.

What is LotusPay not suitable for?

LotusPay cannot be used for taking instant payments such as credit cards, debit cards, digital wallets and UPI.

In NACH Debit, API eMandates are activated instantly and eSign eMandates and physical mandates take a few days to set up. Transaction processing happens via batch clearing during working days, hence NACH Debit is not suitable for anything that requires instant or urgent confirmation of payment. You can use LotusPay alongside other payment methods.

Isn't NACH Debit for big companies like mutual funds?

It was - until we came along. We have made NACH Debit simple, fast, accessible and affordable. It's more reliable and far cheaper than other recurring payment methods.

Why is NACH Debit better for recurring payments than cards/wallets?

'Push' payment methods such as credit cards, debit cards, digital wallets and UPI generally require the customer to authorise each and every payment, so customers often delay, forget or fail to pay, or they just cancel. RBI has recently relaxed the requirement for second factor authentication on card-not-present transactions, which allows recurring payments on cards - but customers must have a card, be comfortable with using it, and must have authorised the instruction via the card network's security system.

NACH Debit is a 'pull' payment method: it requires the customer to only authorise an initial mandate for you to pull money from their account, following which they don't need to worry about authorising future transactions and you don't need to worry about chasing up customers for your payments.

Cards can expire or get cancelled, so your payment will fail. NACH Debit mandates expire when you want them to, and they can't be lost or stolen so they are much more reliable for recurring payments.

Payment gateways charge you uncapped percentage fees of up to 3% for card, wallet and UPI payments. NACH Debit with LotusPay is much cheaper for you.

Most Indians do not have credit cards. NACH Debit requires the customer to have a bank account, which nearly everyone has.

Digital wallet payments require the customer to load the wallet first, which requires the customer's authorisation each time - again, more friction for paying you.

What is the legal basis for payments under NACH Debit?

NACH Debit mandates are like cheques: They are irrevocable. So, although customers can cancel NACH Debit mandates, they should not do so without the creditor's consent, nor should they fail to honour the payments drawn on the mandates.

Section 138 of the Negotiable Instruments Act 1881 accords certain rights and remedies to the payee of a cheque if the payer dishonours the cheque for insuffiency of funds (i.e. if the cheque bounces). Section 25 of the Payment and Settlement Systems Act 2007 accords similar rights and remedies to the payee against dishonour of electronic funds transfer for insufficiency of funds in the payer's account. NACH Debit is an authorised payment system under this Act and is covered by Section 25.

How do I get paid with LotusPay?

Your funds are paid into your bank account.

When do I get paid?

Your funds will reach you on the same day that we collect the amount from your customer.

What is the smallest amount that I can collect?

The smallest amount for a single transaction is Rs 100.

What is the largest amount that I can collect?

The maximum amount for any one transaction with eMandates is Rs 1,00,000 (1 lakh or one hundred thousand). NPCI will likely increase this limit in 2019.

The maximum amount for any one transaction with physical mandates is Rs 1,00,00,000 (1 crore or 10 million).

There is no limit on the number of transactions.

Can I collect fixed amounts and variable amounts?

Yes. You can use our simple dashboard or API to create mandates/subscriptions/plans with fixed amounts or maximum amounts. Maximum amount in independent mandates or in mandates with ad hoc frequency allow you to charge customers variable amounts.

How often can I collect?

You can set frequency as intra-day, daily, weekly, monthly, bi-monthly, quarterly, half yearly, yearly - or build subscriptions with custom frequencies. You can even select ad-hoc frequency, meaning that you can collect payments as and when you want.

How it works

How does it work?

Signing up takes just 10 minutes. We will review and activate your account within two business days.
Standard Plan is simple to use, and includes API eMandates:

  • In our web dashboard, you create a plan or pre-fill a mandate and invite your customer to authorise their subscription.
  • Your customer receives an email from your company's name, containing a link to your branded authorisation page on our server. Your customer visits the link and completes the simple and quick mandate authorisation process.
  • We quickly process the NACH Debit mandate through secure banking channels. Once the mandate is active, we collect payments and pay them out to you.
  • Your customer is kept informed of every debit from their bank account by an email from your company name, and we keep you informed of every subscription, payment and pay out.
Can customers sign up on my website?

You can create payment plan links and post this on your website. On clicking this link the customer will be sent to your branded page on our server where they can authorise the mandate.

How does the customer authorise payments to me?

Your customers authorise payments to you via NACH Debit mandates. Most customers can create eMandates, and everyone can create physical mandates.

Can I make the mandate for my customer?

You can enter the customer's details, or assist the customer to do so, but the customer needs to personally authorise the mandate.

How do I take payments?

Once the customer has authorised the mandate, you can then initiate payments on the mandate. The payment will only be submitted once the mandate is active. Payments do not require customer authorisation. Payments must fall within the mandate parameters, such as amount, frequency, start date and end date.

You can create payments on an ad hoc basis, or you can use LotusPay plans and subscriptions to automate the creation of payments according to pre-determined schedules.

How do I know if I've been paid?

In our online dashboard you can see up-to-date information on your customers and payments. We will also notify you by email.

How do I get help?

Standard Plan includes email support with a turn-around time of one working day.
Pro Plan includes email and phone support with faster turn-around time, depending on the the service level agreement.

For support, please email support at lotuspay dot com.

Getting started

Do I need to sign an agreement?

Standard Plan merchants can sign up online, and using our service means that you accept our merchant agreement, which you can find linked at the bottom of this page. There is nothing else to sign.

Pro Plan merchants can opt for an offline agreement.

What details do you need from me?

After signing up, we will ask you for your organisation's details, your bank account details and your personal details. We will also need some documents to verify both you and your organisation.

You must have a bank account in India to receive the settlement payouts. It is not possible to be paid out to a foreign account.

You do not need to be NACH-enabled. You would be benefitting from LotusPay's deep NACH integration with our banking partners, hence you simply need a bank account to be paid out to - we take care of everything else.

If you want to be on our Pro plan to benefit from lower unit fees and only your name appearing on your customer's bank statement, you would need a NACH utility code. There's no need for you to discuss NACH setup with your sponsor bank, but you can opt for using your own sponsor bank if you wish.

How do I test the product?

You can easily sign up and create a mandate for yourself. If you are a Pro Plan merchant, please contact us and we will schedule a time to give you a live demonstration. You may be qualified for a sandbox account for testing.

Can I sign up if I am not a company?

Yes. LotusPay is available to companies, partnerships, trusts, societies, proprietorships and government organisations. Individuals cannot currently be LotusPay clients.

Can I sign up if I am a charity or religious organisation?

Yes. Charities and religious organisations are perfectly welcome. You must be a registered trust, society or non-profit (Section 25) company. Due to RBI FEMA regulations, non-profit organisations can not collect funds from a customer's NRE account.

How do I sign up as a developer?

Developers should sign up as normal and then request an API key from the dashboard. API access is limited to Pro Plan.

Can I check the product for free?

You can sign up without any commitment and see how the product works. There is no lock-in or payment due and you can stop using the product at any time. In the Standard Plan, we only charge fees for successfully processing mandates and transactions for you.

I'm already using NACH Debit. Can I switch to LotusPay?

Yes. It's easy to migrate your existing NACH Debit mandates to LotusPay. Please contact us to get started.

API eMandates

What is an eMandate?

eMandates (electronic mandates) are system-generated XML files that contain similar information to physical mandates, but they also contain the customer's digital authorisation. eMandates are designed to be read by software.

How does the customer authorise the API eMandate?

The customer is redirected to their bank's website, where they must log into netbanking or enter debit card and PIN in order to authorise the eMandate. The netbanking login or debit card details are not used to make NACH payments, rather they are used to verify that the signer of the mandate is the owner of the bank account.

See our Support article Authorising an eMandate for screen shots and details.

What are the prerequisites for my customer to authorise an API eMandate?

Your customer must be banking with a live destination bank for eMandates, and they must have a netbanking login or debit card and PIN for that bank account.

Which banks are enabled for API eMandates?

Each destination bank (the customer's bank) has to independently develop connectivity to NPCI to allow customers to authorise eMandates via (a) net-banking login, or (b) debit card and PIN, or both options.

The following banks are live:

  1. Axis Bank (net-banking)
  2. Andhra Bank (net-banking and debit card)
  3. AU Small Finance Bank (debit card)
  4. Bank of Baroda (net-banking)
  5. Bank of Maharashtra (net-banking and debit card)
  6. Canara Bank (net-banking)
  7. Central Bank of India (net-banking)
  8. Cosmos Cooperative Bank (net-banking)
  9. Citibank (debit card)
  10. City Union Bank (net-banking)
  11. DBS Bank (net-banking, debit card)
  12. DCB Bank (net-banking)
  13. Deutsche Bank (net-banking and debit card)
  14. Dhanalaxmi Bank (net-banking and debit card)
  15. Equitas Small Finance Bank (debit card)
  16. Federal Bank (net-banking and debit card)
  17. HDFC Bank (net-banking and debit card)
  18. HSBC (net-banking)
  19. ICICI Bank (net-banking and debit card)
  20. IDBI Bank (net-banking)
  21. IDFC Bank (net-banking and debit card)
  22. Indian Overseas Bank (net-banking)
  23. IndusInd Bank (net-banking and debit card)
  24. Karnataka Bank (net-banking and debit card)
  25. Kotak Mahindra Bank (net-banking and debit card)
  26. Oriental Bank of Commerce (net-banking)
  27. Paytm Payments Bank (net-banking)
  28. Punjab National Bank (net-banking and debit card)
  29. RBL Bank (net-banking and debit card)
  30. South Indian Bank (debit card)
  31. Standard Chartered Bank (net-banking)
  32. State Bank of India (net-banking and debit card)
  33. Tamilnad Mercantile Bank (net-banking)
  34. Ujjivan Small Finance Bank (net-banking and debit card)
  35. Union Bank of India (net-banking)
  36. Yes Bank (net-banking and debit card)

The following banks are under certification and are expected to go live in the next three months:

  1. Allahabad Bank (net-banking)
  2. Bank of India (net-banking)
  3. Bandhan Bank (debit card)
  4. Indian Bank (net-banking and debit card)
  5. Jio Payments Bank (net-banking)
  6. Karur Vysya Bank (net-banking)
  7. Punjab & Sind Bank (net-banking)
  8. Syndicate Bank (net-banking)
  9. Vijaya Bank (net-banking)
  10. Uco Bank (net-banking)
  11. United Bank of India (net-banking and debit card) (temporarily suspended)

Various other co-operative banks and small finance banks are also going live soon.

Collectively, the above banks represent the majority of consumer bank accounts in India.

Many other banks are expected to go live in 2020.

Newly enabled banks will be automatically added to LotusPay. If your customer's bank account is with a bank that is not enabled for eMandates, the alternative is physical mandates.

What if my customer's bank account is a joint account?

If your customer's bank account is a joint bank account, they can authorise the eMandate only if the mode of operation is 'Either or survivor' or 'Anyone or survivor'. If the mode of operation is 'Jointly' then they cannot use eMandates as their bank will decline to create the mandate.

What if my customer is a business?

Destination banks have their own policies on this. For net-banking based authorisation, the customer should have access to the retail net-banking login of the destination bank (generally, eMandate authorisation cannot be done with corporate net-banking logins).

Also, the operating mandate or authorisation matrix of the business bank account should allow for operating the account 'severally' i.e. by one authorised signatory. Some treat small and medium sized businesses as retail customers and allow eMandate authorisation as normal. Others treat all businesses as corporations and will not allow eMandate authorisation. See our Support knowledge base for more information.

What if my customer doesn't know their netbanking login or debit card PIN?

eMandates require this. Banks offer customers a variety of ways to get these details. If these details are not accessible, the alternative is to authorise a physical mandate.

How does the customer's bank verify the API eMandate?

The customer's bank verifies that the customer who logged into netbanking or entered their debit card and PIN details is the same customer who owns the bank account number contained in the eMandate request.

Is there another way of doing eMandates?

Yes: eSign eMandate.

What if I need evidence of the eMandate?

We can provide a digitally signed confirmation letter of the details in the eMandate on demand.

eSign eMandates

What is an eSign eMandate?

eSign eMandates (electronic mandates) are system-generated XML files that contain similar information to physical mandates, but they also contain the customer's digital authorisation from Aadhaar eSign. eMandates are designed to be read by software.

How does the customer authorise an eSign eMandate?

In OTP-based authorisation, the customer is redirected to the eSign gateway. There they must enter their Aadhaar number and an OTP (received to the mobile number linked to their Aadhaar).

In biometric-based authorisation, the customer must scan their fingerprint in a registered device.

See our Support article Authorising an eMandate for screen shots and details.

What are the prerequisites for my customer to authorise an eSign eMandate?

Your customer must have an Aadhaar card and the Aadhaar card must be linked to their bank account. For OTP verification, the customer must have the mobile number linked to the Aadhaar. For biometric verification, the customer must be able to scan their fingerprint in the biometric device and the fingerprint must match the Aadhaar database.

Which banks are enabled for eSign eMandates?

Each destination bank (the customer's bank) has to independently develop validation mechanisms for Aadhaar eSign.

The following major banks are live:

  1. Bank of Maharashtra
  2. HSBC
  3. Karnataka Bank
  4. Punjab National Bank
  5. Standard Chartered Bank
  6. UCO Bank
  7. Yes Bank

Additionally, there are a dozen small cooperative banks live.

The following major banks are under certification and are expected to go live in the next one month:

  1. Corporation Bank
  2. Dena Bank
  3. HDFC Bank
  4. IDBI Bank
  5. IDFC FIRST Bank
  6. IndusInd Bank
  7. Oriental Bank of Commerce
  8. RBL Bank

Various other major banks, co-operative banks and small finance banks are also going live in the coming three months.

Collectively, the above banks represent the majority of consumer bank accounts in India.

Many other banks are expected to go live in 2020.

Newly enabled banks will be automatically added to LotusPay. If your customer's bank account is with a bank that is not enabled for eSign eMandates, the alternatives are API eMandate and physical mandate.

What if my customer's bank account is a joint account?

If your customer's bank account is a joint bank account, they can authorise the eSign eMandate only if the mode of operation is 'Either or survivor' or 'Anyone or survivor'. If the mode of operation is 'Jointly' then they cannot use eSign eMandates as their bank will decline to create the mandate.

What if my customer is a business?

Proprietorships can generally authorise eSign eMandates. Other entities such as public limited, private limited and partnership cannot authorise eSign eMandates.

What if my customer doesn't has Aadhaar?

eSign eMandates require this. The government offers every Indian resident a variety of ways to get Aadhaar. If the customer does not have Aadhaar, the alternatives are API eMandate and physical mandate.

How does the customer's bank verify the eMandate?

The customer's bank verifies that the customer who owns the Aadhaar used for the Aadhaar eSign is the same customer who owns the bank account number contained in the eMandate request. The bank does this by checking that the bank account owner has the same Aadhaar.

Is there another way of doing eMandates?

Yes: API eMandate.

What if I need evidence of the eMandate?

We can provide a digitally signed confirmation letter of the details in the eSign eMandate on demand.

Earlier suspension of eSign eMandates

NPCI suspended eSign eMandate processing in November 2018 pending clarifications required from CCA on the legal validity of eSign. See Circular 035 on the NPCI NACH Circulars website. This is because eSign uses Aadhaar eKYC and in September 2018 the Supreme Court struck out Section 57 of the Aadhaar Act (the section that permitted private sector usage of Aadhaar).

NPCI reintroduced eSign eMandate on 1st June 2020 with permission from RBI, UIDAI and CCA.

Physical mandates

Do you process physical mandates?

Yes. You can use our dashboard, bulk file, forms and API to generate physical mandates. We generate pre-filled PDF files that you can use if required. You'll need to get the customer's wet signature on the physical paper mandate. You can upload the photo/scan image of the signed mandate in our dashboard and submit it for processing - everything else happens automatically through our banking integrations.

Please click here for more information.

What are the advantages and disadvantages of physical mandates?

Advantages:
- Ubiquitous: There are many hundreds of destination banks live for the physical variant of NACH Debit.
- Mature: This method has been live for many years so it is considered robust.
- Accessible: Any customer can authorise a physical mandate by signing it. There is no need for netbanking, debit card, smart phone, OTP etc.

Disadvantages:
- Time: Depending on the destination bank's efficiency, physical mandates typically take 5-10 days to activate.
- Logistics: The customer must put a wet signature on a physical paper document. This involves you meeting the customer or arranging for transportation of the document.
- Failure rate: 10%-20% of physical mandates are rejected due to signature mismatch. One should ensure that the signature on the mandate is matching the signature in the bank account.

Should I use physical mandates or eMandates?

eMandates are better, easier, faster, cheaper and more secure than physical mandates. eMandates are authorised via netbanking login or debit card and PIN, or Aadhaar eSign, which means they are ideal for taking recurring payments from individuals or proprietorships. For jointly held accounts, corporate accounts and accounts held with banks that are not live for eMandates, the best option is physical mandate.

Can I use both physical mandates and eMandates?

Yes.

We created mandates elsewhere. Can we take payments on those mandates via LotusPay?

Yes. LotusPay allows you to create ACH Debit transactions on any mandate created with any sponsor bank. Furthermore, NPCI's corporate portability guidelines allow you to migrate your mandates to any sponsor bank. Get in touch and we'll help you get started.

Customer experience

What does my customer see on the eMandate payment page?

Customers always see an explanation that you want to charge them according to the mandate or subscription.

The rest of the process that your customer sees depends on what options you have selected for them.

A) Merchant-filled form: If you have pre-filled the customer's details using our dashboard or API, your customer directly sees the check details page. Then the customer checks their details and goes through the authorisation process.

B) Customer-filled form: You can create plans (templates for subscriptions/mandates) and share the plan links with your customers. The customer sees that you want them to set up a subscription/mandate of a certain amount and frequency, and they see a simple form for entering their own details. Then the customer checks their details and goes through the authorisation process.

In API eMandate, the customer is redirected to NPCI and then to their bank, where they can log into netbanking or enter their debit card and PIN. Then the customer can review the eMandate and authorise it via OTP SMS. The customer is then redirected back to LotusPay and back to your website (if any).

In eSign eMandate, the customer is redirected to the eSign gateway, where they can enter their Aadhaar number and OTP. Then the customer can review the eMandate and authorise it via OTP SMS. The customer is then redirected back to LotusPay and back to your website (if any).

What name appears on my customer's bank statement?

In our Standard Plan, both our name and your name will appear on your customer's bank statement. You can customise how your name will appear in the sign up form.

In our Pro Plan, only your name appears on your customer's bank statement. This is done by using your NACH utility code.

Can I host the payments page on my site/app?

Yes, on the Pro Plan. You can benefit from a white-labelled solution.

On the Standard Plan, the customer authorises the eMandate on your branded page on the secure LotusPay website. The payment process is complex but we make it very simple.

For both plans, we we store the customer's details in a secure server which is independently audited for data security up to CERT-IN standards.

If you integrate LotusPay into your mobile app, you can show the mandate authorisation flow within your app via web-view. We provide an SDK for this purpose.

What communications do you send to my customer?

We send email notifications to your customer when you invite them to subscribe to your plans, when payments are collected, and when there are changes to their mandates. The email address is ours but the display name is yours. We can Bcc all customer emails to you too. Pro Plan merchants can opt in to our SMS eMandate invitation notifications for their customers.

Can my customer use your dashboard?

No. The LotusPay dashboard is only for you - our merchant client.

Do you provide customer support to my customers?

No. Our payments solution is for you - our merchant client. You will need to continue supporting your customers. If they have questions about their payments, your LotusPay dashboard gives you all the information you need to answer their questions. If you need help, you can easily ask us.

NACH Debit

Which banks offer NACH Debit?

More than 900 banks in India offer NACH Debit, and they represent nearly all banking customers in India.

How long does it take to set up a mandate?

API eMandate is authorised and activated instantly.
eSign eMandate takes two to five working days to process.
Physical mandate takes two to 10 working days to process.

Can mandate registration fail?

API eMandate: If the customer successfully authorises the eMandate via redirect flow, the mandate will be activated instantly. The eMandate redirect flow may return an error for various reasons e.g. wrong account number, bank account not in good standing, wrong login details etc. API eMandates are never rejected for signature mismatch because they are pre-authorised by the customer directly in their bank.

eSign eMandate: If the customer successfully authorises the eSign eMandate via redirect flow, the mandate may still fail. This can happen if the bank account details are incorrect, or if the Aadhaar eSign identity is not matching the identity of the bank account holder.

Physical mandates require a physical 'wet' signature and therefore can be rejected due to signature mismatch (compared to the signature stored in the bank account).

If an mandate creation fails, we will inform you immediately along with the reason. You can easily invite your customer to try again.

How do I know that my customer will pay?

NACH Debit, like a cheque, is a negotiable financial instrument - it cannot be revoked (although it can be cancelled). The signer must honour payments agreed in the eMandate. If the customer revokes the eMandate or fails to honour the payments, you have legal recourse under Section 25 of the Payment and Settlement Systems Act 2007.

Can the payment fail?

If your customer does not have cleared funds in their account, the debit transaction will fail (just as a cheque bounces). You and your customer will both be informed by email, and you will also see it online. You can request us to re-attempt the failed transaction. Be aware that the customer's bank will charge a penalty of Rs 100 to Rs 400 if a transaction fails due to insufficient balance.

There can be other reasons why payments fail, such as bank account closed or mandate cancelled. We will always inform you of the reason why a payment has failed.

How does the money reach me?

If the mandate is linked to a subscription, you do not need to take any further action - LotusPay will automatically collect the fixed regular amount on the scheduled charge date.

If the mandate is not linked to a subscription, then you need to request the payment no later than 9am on the desired charge date. You can do this our dashboard, via bulk file import, or via our API.

On the due date of the transaction, we request the customer's bank to send funds as per the agreed eMandate. The customer's bank sends the funds to our bank's nodal (intermediary) account. You receive bulk settlement payouts for all the funds payable to you on that day from all your customers. As soon as we receive the funds, we instruct our bank to pay out the funds to you. Small settlements of up to Rs 2 lakhs reach you on the same day because we pay out by IMPS transactions. For larger settlements, we pay out via RTGS on the next working day. We do not earn any interest on your funds.

How do I reconcile my settlement?

In our simple online dashboard, you can easily view the customer debits and your settlement credits. You can export data to CSV with a single click and manipulate it in a spreadsheet or import it into your own application, CRM or accounting software. You can also use our API to do this.

Can I close my LotusPay account and keep my mandates?

Yes. If you want to stop using LotusPay, you can easily migrate your mandates out of your LotusPay account at any time, free of cost. We will help you do it. You can port your NACH Debit process to any sponsor bank or provider.

Invoices and GST

How do you collect your fees?

We deduct our fees after collecting funds from your customers and before paying out the funds to you.

Do you charge Goods & Services Tax (GST) on your fees?

Yes, we are registered for GST therefore we charge you GST on our fees.

Is your system GST-compliant?

Yes. We report GST collections. If you report your GST paid to us, you will get input tax credit.

Do I get an invoice?

Yes, you can easily view your monthly tax invoices in our dashboard.

What if I am not registered for GST?

If you are not registered for GST, GST compliance does not affect you but since we are GST-registered you still have to pay us GST on our fees. We pay this GST to the government but you would not get the benefit of input tax credit (meaning you cannot claim offset for your paid GST against your received GST).

Security

Is NACH Debit safe?

NACH Debit is a payment system created and managed by the National Payments Corporate of India, and regulated by the Reserve Bank of India. It is a tried and tested payment method used by hundreds of institutions to collect recurring payments. It is an extremely robust payment system - for example, it is used by all mutual funds for collecting payments for systematic investment plans.

Is my data and my customer's data safe?

Our website uses SSL (Secure Socket Layer) for transmission of all data between users and us. Our system is hosted on secure servers in India and has stringent data security policies in place. Our system has been independently certified to ISO 27001 information security standards and in accordance with the Information Technology Act 2000 and applicable rules and regulations.

Who is checking that you are secure?

LotusPay has been audited and certified by an independent expert agency for our information and cyber security practices. The agency is empanelled by CERT-IN, the government's department for cyber security in the Ministry of Electronics and Information Technology.

Is my money safe?

NACH Debit is a highly regulated and robust payment system. LotusPay receives client funds into a nodal account: a non-interest paying account for client funds, legally controlled by our bank. Therefore client funds are entirely segregated from our own funds and we would not benefit from delaying disbursement to you. We generally disburse funds to you on the same day we receive them. RBI regulations state that client funds cannot be kept in a nodal account for longer than three days.

How do you deal with vulnerabilities?

We work hard to maintain a safe and robust platform. If you believe you have discovered a vulnerability, we ask that you disclose it to us in a responsible manner. Sharing vulnerabilities publicly puts our entire user base at risk, so we urge you to keep issues private until we have had a chance to fix the issue.

What if I see a problem?

Please report it immediately to us by emailing security@lotuspay.com and we will take swift action. If you disclose the vulnerability in a responsible manner, we will pay you a reasonable cash reward in recognition of your efforts in security research. We will not pay rewards for denial of service attacks or other deliberate disruption of our service.

Developer API

How does the LotusPay API work?

Our powerful REST APIs enable you to seamlessly integrate our product with your web or mobile application. We provide you with an API key which is used for authenticated communications between our system and your system. Your developers can easily create powerful integrations with LotusPay and use our webhooks to pull any information into your application, and push instructions to us to create, modify and cancel objects such as customers, bank accounts, mandates, subscriptions and payments.

How can I get started with the API?

Visit our API reference at http://docs.lotuspay.com to get started.

Can I have a developer sandbox for testing purposes?

Pro plan customers can contact us to get a sandbox account.

Can I host the payment pages on my site?

Yes, but only with LotusPay Pro. With Pro, you’re able to design your own payment pages and you can host them directly on your website.

On the standard LotusPay product, we host the payment pages securely on our website in order to comply with the security rules of the banking and signing systems.

You can redirect the customer to our payment page and we will redirect them back to your site. Alternatively, you can allow customers to access the payment pages via a pop-up from your website.

Do you offer iFrames?

No. The mandate authorisation process may not function reliably and securely within an iFrame.

Can payments be made directly via the API?

Only once authorisation (the NACH Debit mandate) is in place. Customers must be sent to secure payment pages to give initial authorisation of the NACH Debit.

To make this as easy as possible for your clients, you can pass their personal information to us via the API to prepopulate the form.

Once authorisation is in place, payment can be requested via the API.

What information do you make available via the API?

LotusPay provides webhooks to notify Merchants of any changes in the status of its resources. One extremely useful example is determining when a bill has been paid.

You can find out more about available webhooks and how to use them in our developer documentation.

Do you have mobile SDKs for Android and iOS?

Yes! Our mobile SDKs are provided to you as a single-line integration.

Do you have a plugin for WordPress/Joomla/Drupal etc.?

No, but our APIs are very simple for you to integrate.

Where can I get technical support?

You can email us at support@lotuspay.com. Our developers are on hand 10am-6pm, Mon-Fri to help with your technical queries.

A number of detailed product guides are also available in our Support Centre.