The Reserve Bank of India (RBI) has said that the payment system providers need to store entire payments data in a system only in India.
The central bank has released frequently asked questions (FAQ), in which it said the data processed abroad would have to be brought back to the country within 24 hours. RBI said this in regards to the clarifications sought by Payment System Operators (PSOs).
“The data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered/transmitted/processed as part of a payment message/instruction,” the RBI said.
The data could be pertaining to customer data like name, mobile number, Aadhaar number, PAN; Payment-sensitive data like customer and beneficiary account details; payment credentials like OTP, PIN and, transaction data such as originating and destination system information amount, among others.
The central bank further clarified that in case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India within one business day or 24 hours from the payment processing, whichever is earlier.
The RBI had issued a directive in April 2018 on storage of payment system data where it advised that all system providers ensure that within a period of six months, the entire data relating to payment systems operated by them is stored in a system only in India.
The FAQs further said there is no bar on the processing of payment transactions outside India if so desired by the PSOs. “…the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data,” the RBI said.
The data can be shared with the overseas regulator, if required, depending upon the nature/origin of the transaction with prior approval of the RBI, the central bank said.