The Reserve Bank of India, issued a directive pertaining to ‘Storage of Payment System Data ’which was issued on 6 April, 2018 . The directive instructed all system providers to ensure the storage of all data in relation to payment systems in a system in India only within a period of six months.
An ambiguity clouds the minds of the Payment System Operators (PSOs) regarding the aforementioned directive.
The following information has been provided to clear the haze:
- The direction’s applicability
The directions are applicable to the following:
- All the Payment System providers who are authorised and approved by the Reserve Bank of India to operate and manage a payment system under the Payment and Settlement Systems Act, 2007
- All banks operating in India.
- system participants, service providers, intermediaries, payment gateways, third party vendors and other entities (by whatever name referred to) in the payments ecosystem, who are retained or engaged by the authorised / approved entities for providing payment services.
*The responsibility to ensure compliance with the provisions of these directions would be on the authorised / approved PSOs to ensure that such data is stored only in India as required under the above directions.*
2. Payment data be storage
All the payment data needs to be stored in systems which are located in India.
3. Data that needs to be stored in India
The data that is to be stored in the Indian systems with the other to payment systems related data should include:
- End-to-end transaction details
- Information pertaining to payment
- Settlement transaction that is gathered / transmitted / processed as part of a payment message / instruction.
- Customer data (name, mobile number, email, aadhaar number, pan number, etc. As applicable)
- Payment sensitive data (customer and beneficiary account details); payment credentials (otp, pin, passwords, etc.)
- Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).
4. Storage of data in regards to cross-border transactions
If necessary, a copy of the domestic component can be stored in the concerned foreign nation as well for cross border transactions. This would be applicable in cases when the data consist of a foreign component and a domestic component.
5. Processing of payment transactions
- The PSOs have the freedom to process the payment transactions outside of India as well. The storage of the data after its processing should be done only in India with complete end-to-end transaction details being a part of the data being stored .
- In the case that the processing is carried out in a country outside India, the data should be deleted from the concerned systems abroad and brought back to India. This should be done in one business day or 24 hours from payment processing, whichever is earlier.
- Any successive activity undertaken after the processing of the payment is finished such as settlement processing is carried out outside India, should be performed or undertaken on a near real time basis with the storage being in India only.
- In the case, another related processing activity has to be undertaken,( such as chargeback) the data can be accessed from the place from where it has been stored in the country at any time.
6. The data processed abroad cannot be retained abroad till the window for customer dispute resolution / chargeback is available and should be deleted within the mentioned time limit. The data stored can be accessed at any given time for handling customer disputes.
7. The payment system data, if required, can be shared with the overseas regulator. The share would be depending upon the nature and origin of transaction and would be done with due approval of RBI.
8. The System Audit Report (SAR) should be from a Auditor empanelled by the Indian Computer Emergency Response Team. The report with the other payment transactions related data should include:
- Data Storage
- Maintenance of Database
- Data Backup Restoration
- Data Security, etc
9. Entities which were permitted to store banking data abroad earlier
In regards to the banks, especially foreign banks, which were specifically permitted to store the banking data abroad, earlier can continue to do so.
In the case of domestic payment transactions, however, the data can be stored only in India, except in the case of cross border payment transactions, where the data may also be stored abroad as indicated earlier.
To read the full notification click here