The Reserve Bank of India (RBI) recently issued a directive concerning the ‘Storage of Payment System Data.’ The directive states that all payment-related data must be stored only within Indian systems. This requirement applies to all system providers who, over the course of six months, need to ensure that their payment systems data is entirely housed within India. This policy includes transaction details from end to end and information pertaining to payment transactions.
What Data Does This Include?
According to the RBI, this move extensively covers data such as: customer’s details, including name, mobile number, Aadhaar number, and PAN; sensitive payment details like the customer and beneficiary’s account details; and payment credentials such as OTP, and PIN. Additionally, all transaction related data, such as originating and destination system information amount, will also be included in this requirement.
Processing and Accessibility of Stored Data
The mandate also stipulates that if data processing occurs overseas, it must be returned to India within a 24-hour window. However, the RBI poses no restriction, thus, if Payment System Operators (PSO) so desire, they can process payment transactions outside of India.
The data stored within the country can be accessed or fetched whenever required for handling any customer disputes or any other related processing activities, including chargeback.
Data Sharing Regulations
The directive also provides provision for data sharing with overseas regulators. Should the nature/origin of a transaction require doing so, the data may be shared abroad, but only with prior approval from the RBI.
Cross Border Transaction Data
For cross border transaction data, which consists of a foreign and a domestic component, a copy of the domestic part may also be stored abroad.
A Quick Look at Some Key Facts
| Data Type | Storage Location |
|---|---|
| Customer Data | India |
| Payment Sensitive Data | India |
| Payment Transaction Data | India |
| Overseas Processed Data | Returned to India within 24 hours |
| Cross Border Transaction Data | Copy can be stored abroad |
Understanding RBI’s Stance
The RBI’s directive underpins its emphasis on data localization. This regulatory change aims to achieve seamless supervision and better management of payment systems operating in the country. It also ensures that the government’s control over sensitive data is not compromised by international entities or susceptible to foreign laws and regulations.