Erase payment data from foreign servers in 24 hrs, says RBI
A week after commerce minister Piyush Goyal met representatives of the payments industry and the central bank, the Reserve Bank of India (RBI) on Wednesday clarified that in case of cross-border transactions, a copy of the domestic data can be stored abroad.
“For cross-border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required,” it said.
While the RBI’s April 2018 circular had said that in the foreign leg of transactions, “data” can also be stored in the foreign country, it did not specify if domestic data could be stored. However, experts said companies still have to store data locally as per the earlier circular. A senior executive at a global payment processing company said requesting anonymity that the RBI’s clarification does not change the data localization norms and is only a clarification on some ambiguities in the circular. “We have always interpreted that the word data includes domestic data as well in case of cross-border transactions,” he said.
The RBI had, on April 6, 2018, asked payment system operators to store data related to payments in India. These regulations were expected to affect companies like Mastercard, American Express, Amazon, Facebook, Microsoft, Visa and PayPal who will be forced to store data locally.
The founder of an information technology think-tank, who declined to be named, said the RBI is still saying that domestic transactions should be completed in India, because otherwise India’s domestic payments systems could come to a grinding halt if the overseas entity faces any issue.
The RBI clarified that there is no bar on overseas processing of strictly domestic transactions; however in such cases, this data shall be stored only in India after the processing. “In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India,” it said.
The regulator also said the data may be shared with the overseas regulator, if so required, depending upon the nature and origin of transaction, with due approval of the RBI.
The RBI said data stored in India should include end-to-end transaction details and information pertaining to payment or settlement transactions. “This may, inter alia, include—customer data (name, mobile number, email, Aadhaar number, PAN number, etc), payment sensitive data (customer and beneficiary account details) payment credentials (OTP, PIN, passwords, etc.); and, transaction data (originating and destination system information, transaction reference, timestamp, amount, etc.),” it said.