top of page
  • Writer's pictureSpocy

Are you in complaince? RBI notification to entities storing Payment System Data

A significant increase in digital payments has also raised red flags for governing and protecting the payment systems data from adversaries.

In India, RBI (Reserve Bank of India) directed all the payment system providers and facilitators to store all the payment systems data locally in India. The notification does not only cover the authorised payment systems but also covers the underlying service providers, vendors, and intermediaries.

The payment system data constitute of end-to-end transaction details and information pertaining to payment or settlement. This may include customer data including PII, Aadhar, PAN, account numbers, credentials, OTP, etc.

The notification has also asked all payment system providers to submit a SAR (System Audit Report) on every 6 months stating the compliance. As directed by notification, the review should be conducted by only CERT-IN empaneled auditor.

It does allow entities to process data outside of India, however the processed data should be brought back to India within 24 hours. The notification also would require all entities to due diligently monitor their supply chain, especially in cases where cloud services are being availed to process, store, or backup the payment system storage data.

The digital payments saw an uptick of 33% in FY 21-22. A total of 7422 crore digital payments were recorded during this period as per the Ministry of Electronics and IT (MeitY). Due to such a wide footprint of digital payments in India, the payment providers associated with foreign transactions had to perform logical segregation of the local payment data in the system.

Many foreign entities have opposed such data sovereignty requirements since it increases their cost of business. However, the central bank has not back-paddled on the requirement.

As a CERT-IN empaneled auditor, Security Spoc has helped Indian entities to remain in compliance with data sovereignty laws and regulations that primarily focus on data security controls such as encryption, classification, backups, etc.

Focus Areas in SAR (Examples):

1. Review of Data Storage Capabilities

2. Review of Architecture & Application Components

3. Review of Transactions Processing

4. Data Backup & Restoration

5. Data Security

For any queries on assistance required, feel free t connect with us!


21 views0 comments


bottom of page