Norm on Storage of Payment System Data by RBI

RBI norm on Payment Data

Considering the current trend in data storage technology, data is usually kept in multiple locations in order to have back up for data centres. RBI’s mandate on all payment operators (global and local) in India to store all end-to-end transaction data “only within the country” has been buzzing in the current payment ecosystem worldwide. The mandate is applicable to every company handling payments data – starting from fintech firms that offer peer-to-peer money transfers to gateway operators which are operated globally for international fund transfers.

RBI states that for better monitoring and surveillance of transactional data, it is required to have easy and unrestricted supervisory access to data stored in the payment eco-system. The intention behind the regulation is to have a quicker resolution for payment related breach cases while forensic investigators will have non-restricted access to the breach environment. Also, if we have local laws and regulations in place, it becomes much easier to get service providers to co-operate in forensic investigation activities.

The constraint on storing payment data only inside India might lead to dismay amongst the global giants like Google, WhatsApp and Amazon; who have UPI based payment applications and usually operate from foreign countries.

With this RBI regulation, we can also expect a wider expansion of data storage/co-location business in the Indian market.

The circular for payment operators include the major items as below:

  • All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/ carried/processed as part of the message/payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
  • System providers shall ensure compliance of (i) above within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
  • System providers shall submit the System Audit Report (SAR) on completion of the requirement at (i) above. The audit should be conducted by CERT-IN empanelled auditors certifying completion of activity at (i) above. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank not later than December 31, 2018.

It is mentioned that Cert-In empanelled auditors are authorized to perform certification for payment storage, however, RBI is yet to share the detailed instructions on audit coverage for auditors.

How can SISA help?

SISA being Cert-In empanelled auditors, SISA is authorized to perform certification for payment storage on all organisations. SISA is also a global player in payment security and this knowledge helps us identifying the scope and storage locations.

SISA will follow 3 phased approach:

  • Phase 1 – Audit
    SISA will conduct an initial audit for understanding the infra of organization and help the organization in identifying the all the storage locations which comprise of any payment related data.
  • Phase 2 – Remediation
    If any payment data is identified, SISA will provide remediation support for complying with RBI mandate.
  • Phase 3 –  Confirmation Letter
    As part of the final phase, we review evidence on the closure of Action points identified during the audit and share the confirmation letter that, all payment related data is residing inside India.


RBI Notice:


Shruthi Prakash
PCI QSA in Risk and Compliance team. Her work focuses on conducting PCI audits and assisting organizations in implementing PCI Controls, and a trainer for CPISI workshops.
SISA’s Latest
close slider