The Reserve Bank of India (RBI) has clarified on Wednesday that payment system providers need to store entire payments data in a system only in India.
Following clarifications sought by Payment System Operators (PSOs), RBI has released frequently asked questions (FAQ), in which it said data processed abroad would have to be brought back to the country within 24 hours.
“The entire payment data shall be stored in systems located only in India,” RBI clarified in the FAQ.
“The data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered/transmitted/processed as part of a payment message/instruction,” the RBI said.
The data could be pertaining to customer data like name, mobile number, Aadhaar number, PAN; Payment-sensitive data like customer and beneficiary account details; payment credentials like OTP, PIN and, transaction data such as originating and destination system information amount, among others.
The RBI further clarified that in case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India within one business day or 24 hours from the payment processing, whichever is earlier.
The central bank had issued a directive in April 2018 on ‘storage of payment system data’ where it advised that all system providers to ensure that within a period of six months, the entire data relating to payment systems operated by them is stored in a system only in India.
The FAQs further said there is no bar on processing of payment transactions outside India if so desired by the PSOs. “…the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data,” the RBI said.
The data can be shared with the overseas regulator, if required, depending upon the nature/origin of transaction with prior approval of the RBI.