Site icon SCC Times

Storage of Payment System Data | Clarification issued by RBI to ensure expeditious compliance by Payment System Operators

Reserve Bank of India through circular DPSS.CO.OD.No 2785/06.08.005/2017-18 dated April 06, 2018 had issued a few directions to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers/intermediaries/ third party vendors and other entities in the payment ecosystem.

In accordance with the circular, all system providers were to ensure that entire data relating to payment systems operated by them is stored in a system only in India.

Now, the Payment System Operators have sought some clarification of the implementation of the directives issued, for which the Reserve Bank of India has issued a clarification under following heads:

1. Applicability of the direction:

2. Payment Data Storage

Entire payment data shall be stored in systems located only in India, except in cases clarified herein.

3. Data that needs to be stored in India

Data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered/transmitted/ processed as part of a payment message/instruction. This may, inter alia, include – Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable); Payment sensitive data (customer and beneficiary account details); Payment Credentials (OTP, PIN, Passwords, etc.); and, Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).

4. Storage of data pertaining to cross-border transactions

For cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required.

5. Processing of payment transactions

6. Can the data processed abroad be retained abroad till the window for customer dispute resolution/chargeback is available?

the payment data sent abroad for processing should be deleted abroad within the prescribed timeline and stored only in India. The data stored in India can be accessed/fetched for handling customer disputes whenever required.

7. Can the payment system data be shared with overseas regulators?

The data may be shared with the overseas regulator, if so required, depending upon the nature/origin of the transaction with due approval of RBI.

8.  Scope and coverage of the System Audit Report (SAR)

System Audit Report (SAR), from a CERT-In, empanelled Auditor, should inter-alia include Data Storage, Maintenance of Database, Data Backup Restoration, Data Security, etc.

9. Clarification in respect of entities earlier permitted to store banking data abroad?

In the case of banks, especially foreign banks, earlier specifically permitted to store the banking data abroad, they may continue to do so; however, in respect of domestic payment transactions, the data shall be stored only in India, whereas for cross border payment transactions, the data may also be stored abroad as indicated earlier.


[Source: Reserve Bank of India]

[Picture Credits: Hindustan Times]

Exit mobile version