Guidelines for Storage of Payment System Data

Swetha Dhinesh

05 May, 2023

Given the current trend in data storage technology, data is typically kept in several places to provide data centres with a backup. The RBI’s order requiring all payment operators in India, both local and international, to keep all end-to-end transaction data “only within the country” has caused a stir in the present global payment ecosystem. According to RBI, quick and unrestricted access to data maintained in the payment ecosystem is necessary for better monitoring and surveillance of transactional data. 

In a recent move, the Reserve Bank of India prohibited onboarding new customers for American Express Banking Corp. and Diners Club International Ltd due to non-compliance with its regulation and guidelines on the storage of payment system data.

Storage of payment system data

The amount of data communicated or transferred through these digital transactions have significantly increased with the development of technology and the sharp rise in digital payments. To protect the access to and storage of such data, authorities should be in charge of oversight. The RBI released guidelines for unrestricted supervisory access to the data of such global players.

Data Localisation: Data localisation is the process of storing data on any device that is located physically inside the borders of the country where the data was generated. Before, most of the data are stored on a cloud outside India. As a condition of localisation, businesses must store and manage sensitive consumer data within national boundaries.

The Reserve Bank of India^[1] issued a directive on “Storage of Payment System Data” on 2018 April 06, advising through the guidelines to all system providers to make sure that, within six months of the guidelines, all data relating to payment systems they operate should be stored in a system only in India.

Payment System Operators (PSOs) occasionally ask the Reserve Bank for clarification on specific implementation concerns. To facilitate and guarantee prompt compliance by all PSOs, the RBI issued guidelines for the storage of payment data.

Direction applicability

• All payment system providers authorised or approved by the Reserve Bank of India to establish and run a payment system in India in accordance with the Payment and Settlement Systems Act, 2007, are subject to the directives.
• Banks perform two different roles in a payment system: operator and participant. They participate in the RTGS and NEFT payment systems run by the RBI, the systems run by CCIL and NPCI, and the card schemes. Therefore, the instructions apply to all banks running in India.
• The guidelines also apply to transactions made through system users, service providers, intermediaries, payment gateways, third-party vendors, and other entities (by whatever name referred to) in the payments ecosystem that is hired or contracted by authorised/approved entities to offer payment services.
• The authorised / approved PSOs would be responsible for ensuring compliance with the conditions of these directions and that such data is solely stored in India as required by the directives mentioned above.

Clarification on the Indian data required to be stored

Except in the situations described here, all payment information must be stored on systems that are only accessible from India.

• End-to-end transaction information and details on payments or settlements that are gathered, transferred, or handled as part of a payment message or instruction should be included in the data. 
• Customer data (Name, Email, Mobile Number, Aadhaar Number, PAN number, etc.), payment sensitive data (Beneficiary and Customer Account Details), payment credentials (PIN, OTP, Passwords, etc.) and transaction data (originating & destination system information, timestamp, transaction reference, amount, etc.) may be included among others.

Archiving information on international business transactions: If necessary, a copy of the domestic component of cross-border transaction data that consists of a foreign component and a domestic component may also be stored abroad.

Processing of payment transactions

The following are the guidelines for processing payment transactions:

• Processing payment transactions outside of India is not prohibited if the PSOs choose to do so. After processing, the data must, however, only be stored in India. The data should include all of the end-to-end transaction details.
• Suppose the processing is done outside of India. In that case, the data must be removed from the foreign systems and returned to India no later than one business day or 24 hours after the payment processing, whichever comes first. The same should only be kept in India.
• However, any subsequent activity, if carried out outside of India, such as settlement processing after payment processing, must also be undertaken/performed in close to real-time. The data should be kept only in India.
• The data can always be accessible from India, where it is stored, in the event of any additional processing activity relating to it, such as a chargeback, etc.

Regulation for data processed abroad and sharing payment system data with overseas regulators

The payment information transmitted overseas for processing shall, as stated above, be destroyed abroad within the allotted time frame and stored exclusively in India. For the purpose of resolving customer disputes as needed, the data maintained in India might be accessed or requested. Depending on the nature or origin of the transaction, the data may be disclosed to the foreign regulator with the proper RBI authorisation.

Clarification about businesses that were previously allowed to retain banking information abroad – Banks, particularly foreign banks, who were previously specifically allowed to store banking data abroad may continue to do so; however, with regard to domestic payment transactions, the data shall only be stored in India, whereas the data may also be stored abroad as previously indicated with regard to cross-border payment transactions.

RBI’s Regulatory Move

Following the Reserve Bank of India’s imposition of the first fines relating to the localisation of payments data, American Express and Diners Club International Ltd were forbidden from accepting new customers for six months. It forbade bringing on new domestic clients for an indeterminate period. The RBI’s ban, however, won’t apply to its current consumers. These restrictions may be seen as being disproportionate given that the RBI rarely imposes such hefty fines and normally use its regulatory authority with restraint. 

Due to non-compliance with the instructions on the storage of payment system data, the RBI has issued the order. The Payment and Settlement Systems Act of 2007 has licensed the American Express and Diners Club as payment system operators. The order issued by RBI is the initial set of penalties applied for non-compliance.

Also, on July 2021, it barred Mastercard Asia/Pacific Pte. Ltd from onboarding new domestic customers. Given that Mastercard controls about a third of India’s entire card network market, the ban is likely to have a significant effect. Given that the RBI acts as a regulator in a generally constrained manner and rarely imposes such broad fines, these limits may be perceived as excessive.

The restrictions on accepting new domestic clients have been lifted as a result of Mastercard’s satisfactory compliance with its storage of payment system data on June 2022. These bans, which were enforced for disobeying payment data localisation instructions, represent a change in regulatory strategy. They were put in place in accordance with the regulation which was adopted in 2018. 

Conclusion

The rule would significantly implement safeguards for user data, which is now a major concern worldwide. Additionally, this will ensure that investigations, which were previously difficult, will be made easier with the proper monitoring and surveillance. Most importantly, concerns regarding the security of users’ financial information will be allayed. The Reserve Bank of India’s decision to prohibit companies from onboarding new customers due to non-compliance is a good regulatory move. It suggests every payment service provider act right away to ensure compliance and store all customer and payment-related data only in India.

Read our Article:10 Major Digital Payment Methods available in India