Payment Gateway Agreement (UAE)

A Payment Gateway Agreement in the UAE is the foundational contract between a Central Bank-licensed Payment Service Provider (PSP) operating a payment gateway and a merchant who wishes to accept electronic payments through that gateway. The Central Bank of the UAE is the primary regulatory authority for payment services, exercising its powers under Federal Law No. 14 of 2018 Regarding the Central Bank and Monetary Policy and the implementing Cabinet Resolution No. 65 of 2020 on the Regulation of Financial Activities. The Central Bank's Retail Payment Services and Card Schemes Regulation sets the specific licensing and conduct requirements for payment gateway operators in the UAE, requiring them to maintain adequate capital, comply with technical standards, and adhere to consumer protection rules.

The agreement defines the commercial and technical relationship between the gateway and the merchant. On the commercial side, it sets out the transaction fee rate, the settlement currency and period, the chargeback reserve arrangement, the monthly transaction volume limit, and the fee invoicing terms. On the technical side, it addresses the payment methods supported — which in 2026 increasingly include Visa, Mastercard, UAE NAPS (the national card scheme operated by the Central Bank), digital wallets such as Apple Pay and Google Pay, and stablecoins — the integration method, and the security standards applicable to the merchant's systems. PCI-DSS compliance is a mandatory element for all card-accepting merchants, and the agreement records the merchant's compliance level.

VAT obligations under Federal Decree-Law No. 8 of 2017, administered by the Federal Tax Authority (FTA), are a critical component of the UAE payment gateway relationship. The gateway's service fees are generally subject to VAT at 5%, and the agreement must correctly allocate VAT between the parties. The merchant's Tax Registration Number (TRN) must be recorded to enable proper tax invoicing. For merchants whose customers pay VAT-inclusive prices, the gateway's fee deducted from settlement must be accounted for correctly in the merchant's VAT returns.

AML/CFT compliance under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Cabinet Decision No. 10 of 2019 applies to all licensed PSPs in the UAE. The gateway must screen transactions against sanctions lists maintained by the Executive Office for Anti-Money Laundering and Counter Terrorism Financing (EOCN), monitor merchant transaction patterns for suspicious activity, and report to the Financial Intelligence Unit (FIU) via the goAML platform. The gateway must also conduct KYC on each merchant during onboarding, verifying the trade licence, beneficial ownership, and the nature of the merchant's business. The Payment Gateway Agreement records these compliance obligations and creates the contractual basis for the gateway to suspend or terminate the merchant's access if AML/CFT concerns arise.

Data protection under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies to the personal data of cardholders processed through the gateway. The agreement must address the data processing roles of the gateway and the merchant, the security standards for cardholder data storage and transmission, and the procedures for responding to data breaches. The forms-legal.com Payment Gateway Agreement template for the UAE provides a structured wizard that guides the merchant through all these elements, generating a complete and compliant agreement that can be reviewed by both parties' legal advisers.

A Payment Gateway Agreement is needed in the UAE whenever a merchant integrates a third-party payment processing service to accept card or digital payments from customers, whether in an e-commerce context, through a point-of-sale terminal, or via a mobile payment application. The agreement is a regulatory requirement for Central Bank-licensed PSPs, who must have documented merchant agreements as a condition of their licence under Cabinet Resolution No. 65 of 2020, and it is a commercial necessity for merchants who need to understand their obligations, fee exposure, and rights in relation to chargebacks and settlement.

E-commerce businesses launching in the UAE market need a Payment Gateway Agreement from day one of accepting online payments. The UAE's e-commerce sector is one of the fastest-growing in the region, supported by a tech-savvy population, high smartphone penetration, and a strong preference for cashless payments. The gateway agreement determines the economics of every sale the merchant makes — the fee deducted per transaction directly affects the merchant's margin — and the chargeback provisions determine what happens when customers dispute transactions. A merchant who begins accepting payments without understanding the chargeback reserve arrangements may be surprised to find that a significant portion of early settlement is withheld.

Brick-and-mortar retailers integrating payment terminals and point-of-sale systems need a gateway agreement that addresses the specific transaction types common in physical retail — contactless, chip and PIN, and mobile payment — and sets out the liability position for card-present versus card-not-present fraud. UAE retailers participating in 'Buy Now Pay Later' (BNPL) schemes offered by licensed UAE fintech providers need a gateway agreement that addresses the split economics and consumer credit obligations.

Startups and SMEs applying for a UAE trade licence in retail or e-commerce categories will find that their bank, the Dubai Economy and Tourism department, and potential investors all expect them to have formal gateway agreements in place. Financial institutions reviewing a UAE business's creditworthiness or investment potential examine the quality of its payment infrastructure, and a signed Payment Gateway Agreement with a reputable Central Bank-licensed PSP is a component of that review. Cross-border merchants accepting payments in multiple currencies need a gateway agreement that addresses currency conversion rates, cross-border transaction fees, and the Central Bank's rules on foreign currency transactions.

A UAE Payment Gateway Agreement must contain specific elements to satisfy the Central Bank's Retail Payment Services and Card Schemes Regulation, the card schemes' operating rules, and the contractual requirements of the UAE Civil Code (Federal Law No. 5 of 1985). Complete party identification opens the document: the gateway provider's full legal name, Central Bank PSP licence number, and registered address; and the merchant's full legal name, trade licence number, and registered address. The licence number confirms the gateway's regulatory standing and can be cross-referenced with the Central Bank's public register of licensed PSPs.

The services clause must identify all supported payment methods with precision. In the UAE in 2026, a complete gateway agreement covers domestic card schemes (UAE NAPS), international card schemes (Visa, Mastercard, and where applicable American Express), digital wallets (Apple Pay, Google Pay, Samsung Pay), bank transfers (UAE NAPS Direct Debit), and increasingly stablecoins and other virtual asset payment methods where the gateway holds the appropriate VARA licence or ADGM FSRA authorisation. The monthly transaction volume limit must be stated, because exceeding it without prior approval can trigger gateway suspension under the Central Bank's risk management rules.

The fees and settlement clause must set out every component of the fee structure: the per-transaction rate, the monthly minimum fee, any setup or integration fee, currency conversion charges, and refund processing fees. The settlement currency, settlement bank account details, and settlement period — T+1, T+2, or weekly — must be clearly stated. The chargeback reserve arrangement must describe the percentage withheld, the duration of the reserve period, and the process for release. The forms-legal.com Payment Gateway Agreement template ensures these commercial terms are captured accurately through its wizard interface.

Merchant obligations cover PCI-DSS compliance confirmation, VAT registration (Tax Registration Number), prohibited business categories, refund policy disclosure requirements, and the obligation to notify the gateway of any security incident or suspicious transaction pattern. The agreement must also address the merchant's obligation to maintain its trade licence and notify the gateway of any change in business activity or ownership, because these events may trigger KYC re-verification under VARA's or the Central Bank's AML/CFT requirements.

AML/CFT, data protection, liability, and governing law complete the key elements. The AML section must address transaction screening, suspicious activity reporting to the FIU via goAML, and the gateway's right to suspend the merchant account if AML concerns arise. The data protection section must describe the roles of the gateway and the merchant under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the applicable PCI-DSS standard for cardholder data. The liability clause should allocate fraud liability between gateway-initiated and merchant-initiated risks. A governing law clause selecting UAE law and a specific dispute forum — Dubai Courts, DIFC Courts, Abu Dhabi Courts, or ADGM Courts — completes the document.

Completing a UAE Payment Gateway Agreement requires the merchant to have its trade licence and VAT Tax Registration Number (TRN) readily available, and the gateway provider to have its Central Bank PSP licence number confirmed. Before accepting any payment, the merchant must have completed the gateway's KYC onboarding process, which includes providing certified copies of the trade licence, Emirates ID for directors, and, for higher-risk merchant categories, proof of business activity such as a website URL or product catalogue.

In the parties section, enter the gateway provider's name exactly as it appears on its Central Bank licence and the merchant's name exactly as it appears on its trade licence. Accuracy here is important because the agreement forms part of the gateway's regulatory file and may be reviewed by the Central Bank during licence supervision. Enter the Central Bank PSP licence number in full, as this allows the merchant to verify the gateway's licence status independently.

In the service terms section, list all payment methods that will be enabled from the start of the agreement. Do not include methods that the gateway has not yet confirmed it can support — payment method scope should reflect the technical implementation plan. Enter the transaction fee rate in the exact format used in the gateway's commercial offer letter, including both the percentage and any per-transaction AED fixed fee. Select the settlement currency and period, and enter the chargeback reserve percentage and duration accurately. Enter the monthly volume limit, noting that exceeding this limit requires prior written approval from the gateway and may trigger a review by the Central Bank's payment systems oversight team.

In the compliance section, answer the PCI-DSS confirmation field based on the merchant's actual compliance status, not the desired status. Enter the merchant's 15-digit TRN issued by the Federal Tax Authority (FTA) if the merchant is registered for VAT. Select the governing forum that matches the merchant's registered jurisdiction. Review the preview document carefully to confirm that all fee calculations, settlement terms, and regulatory references are accurate. Execute the agreement, obtain signed originals, and retain alongside the gateway's onboarding documentation, KYC file, and integration technical specifications as a complete record of the merchant's payment processing arrangement.

Legal requirements for a UAE Payment Gateway Agreement flow from the Central Bank's regulatory framework, the card schemes' operating rules, and the general contract law applicable in the UAE. Cabinet Resolution No. 65 of 2020 on the Regulation of Financial Activities, together with the Central Bank's Retail Payment Services and Card Schemes Regulation, require all payment gateway operators to hold a PSP licence and to have documented merchant agreements that satisfy the Central Bank's minimum terms requirements. The Central Bank conducts regular inspections of licensed PSPs' merchant agreements and has issued standard terms requirements that gateways must incorporate.

Card scheme rules — Visa Core Rules, Mastercard Rules, and the UAE NAPS scheme rulebook — impose additional mandatory terms that all merchant agreements must contain, including the chargeback process, dispute resolution timelines, PCI-DSS compliance requirements, and prohibited merchant categories. A Payment Gateway Agreement that does not comply with card scheme rules exposes the gateway to fines and programme termination by the card scheme.

VAT obligations under Federal Decree-Law No. 8 of 2017 and the Federal Tax Authority's (FTA) VAT implementing regulations require payment gateway service fees to be properly documented on tax invoices. The agreement must identify the VAT-inclusive or VAT-exclusive pricing basis and record the merchant's TRN for tax invoice purposes. AML/CFT obligations under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019 require the gateway to conduct ongoing monitoring of merchant transaction patterns and to report suspicious activity to the FIU. The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) requires the agreement to address the data processing relationship between the gateway and the merchant in relation to cardholder data processed through the gateway. The UAE Civil Code (Federal Law No. 5 of 1985) provides the underlying contractual validity and remedies framework for the agreement.

Mistakes in UAE Payment Gateway Agreements frequently arise from merchants not understanding the fee structure or the chargeback reserve, and from gateways using template agreements that do not reflect UAE-specific requirements. The most common merchant error is misunderstanding the chargeback reserve: merchants who do not notice that a percentage of their settlement is held in reserve for 90 days are caught off-guard by cash flow shortfalls, particularly in the early months of trading when chargeback rates may be elevated. The agreement should state the reserve rate, the reserve period, and the release trigger with absolute clarity.

Using a foreign payment gateway agreement template without adapting it to the UAE is a serious mistake. Agreements that reference EU GDPR, UK FCA regulations, or US state money transmission laws rather than UAE law — Federal Decree-Law No. 45 of 2021 (PDPL), Cabinet Resolution No. 65 of 2020, and Federal Decree-Law No. 8 of 2017 (VAT) — do not satisfy Central Bank supervision requirements and may not be enforceable before the Dubai Courts or the Abu Dhabi Judicial Department. The UAE requires Arabic court proceedings for onshore disputes, and foreign-law agreements require translation by a Ministry of Justice licensed translator.

Merchants who fail to maintain PCI-DSS compliance throughout the agreement term face escalating card scheme fines and, in the event of a cardholder data breach, potential liability for all fraudulent transactions resulting from the breach. The agreement must specify the merchant's obligation to maintain PCI-DSS compliance continuously, not just at onboarding. Finally, merchants who neglect to update their KYC records with the gateway when their beneficial ownership changes, their business activity changes, or their VAT status changes violate the AML/CFT requirements of Federal Decree-Law No. 20 of 2018 and expose the gateway to regulatory sanction from the Central Bank, which can result in suspension of the merchant's gateway access until remediated.