Guidelines For Storage Of Payment Data

• Published date: 03 August 2021
• Subject Matter: Finance and Banking, Compliance, Financial Services
• Law Firm: S.S. Rana & Co. Advocates
• Author: S.S. Rana & Co. Advocates

In a recent development, the Reserve Bank of India (RBI) barred American Express Banking Corp. and Diners Club International Ltd. from onboarding new customer from May 01, 2021. The order has been passed by RBI due to non-compliance with its directions and guidelines on the Storage of Payment System Data.

Storage of Payment System Data- RBI

With the advancement in technology and a drastic increase in digital payments, there is a significant increase in the data being shared through such digital transactions. There is a need for supervision by authorities to safeguard the access and storage of such data. In order to have unrestricted supervisory access to the data stored by such global players, the Reserve Bank of India (RBI) issued guidelines¹ on April 6, 2018 on Storage of Payment System Data.

OBJECTIVE

Under these guidelines, all the Payment System Providers, banks functioning as operators of a payment system, intermediaries, payment gateways etc., were mandated to store all the data relating to payment systems only in India. The primary objective behind issuing such guidelines was to reduce the risk of a data privacy breach relating to the information on payments and customer data. The guidelines also state that all the Payment System Providers have to submit a System Audit Report (SAR) updating about the progress on the implementation of the directions issued. The SAR had to be submitted with the RBI by December 31, 2018

DATA REQUIRED TO BE STORED

According to the FAQs released by RBI on the Storage of Payment Data², the following data needs to be stored in India -

1. End-to-end transaction details
2. Information pertaining to payment or settlement transaction that is gathered/transmitted processed as part of a payment message/instruction.

Including -

• Customer data (Name, Mobile Number, Email, Aadhaar Number, PAN number, etc. as applicable);
• Payment sensitive data (customer and beneficiary account details);
• Payment Credentials (OTP, PIN, Passwords, etc.); and,
• Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).

All the Payment System Providers were directed to comply with the directions issued by the RBI within a period of six months from the date of issue of guidelines, i.e. April, 06 2018 and report compliance of the same to the RBI by October 15, 2018.

In light of the same, the RBI has in an order³ passed on April 23, 2021 barred American Express Banking Corp. and Diners Club International...