RBI: Storage of Payment System Data | Sahil Ajitsaria
The regulatory guidelines issued by Reserve Bank of India (RBI) w.r.t. RBI/2017–18/153 — DPSS.CO.OD №785/06.08.005/2017–2018, expects all the Companies, who provide payment related services to ensure that the entire data related to payment systems operated by them are stored in a system only in India. This data includes the full end-to-end transaction details, information collected, carried or processed as part of the message and payment instruction. However, in case of a foreign leg of the transaction (if any), the data can also be stored in a foreign country, if required.
The system providers are asked to ensure compliance, latest by 15th October 2018 and share the Company’s Board approved System Audit Report (SAR) of the same by any CERT-IN empanelled auditors, latest by 31st December 2018. This directive is issued under Section 10(2) with Section 18 of Payment and Settlement Systems Act 2007.
- Data Storage
In this age of digitalization, almost each and every data is either stored on the servers or on the verge of getting stored on the servers. These servers may either be hosted locally or on the cloud. Now whether that data is stored on a private or public cloud, is a different aspect.
The RBI guidelines expects each and every Company, who are responsible for owning and using any payment system module or application, to store all the payment related data, whether transaction details, database logs, application logs (if it contains customer data for testing purpose), or any carried, collected or processed information, in India.
In the case of local servers, you need to check whether the Datacenter corresponding to those servers is stored in India or not. In addition to the location of Datacenter, you also need to verify whether the Disaster Recovery(DR) site of the Datacenter is present in India or not.
In the case of cloud-based servers, you need to validate the regions in which the data is getting stored and validate the backup and DR sites of the cloud service provider corresponding to that region. You may check for different availability zones in that region. Different availability zones may act as Backup and DR sites for that region. For eg: In case of AWS service provider, there are different regions like APAC Singapore, APAC Canada, APAC Mumbai, EU Ireland etc. You need to verify that (a) The server (instances) data is not getting stored in any region apart from APAC Mumbai region; (b) There exists at least 2 availability zones in the APAC Mumbai region wherein both the availability zones acts as DR and backup sites for each other.
2. Vendor Agreements
The Company needs to make sure that they have valid vendor agreements with the service provider on whose platform, the servers are hosted. These can be either with the regular service providers like HP, IBM etc for local data storage or with cloud service providers like AWS, Azure etc.
Considering your agreement has expired or is not valid, the service provider is not liable to any legal or financial penalties if your payment system data is getting leaked or is getting stored somewhere outside India without your knowledge. Thus, it is vital to have valid contracts/agreements keeping your customers’ and your Company’s best interest in mind.
3. Log Management
All the payment system logs, whether it be transaction logs, application logs or database logs must be stored and retained in Inda only. For application testing, few testers tend to use to the real customer data instead of dummy data, though it may not be a Company’s process. Since dummy data is generally a randomly generated data by someone’s imagination, it may be stored on some servers outside India in order to save space or merely as a part of a structured approach to keep dummy data out of the main systems running in India. Under these circumstances, if the testers, use real customer data to do testing, the Company’s compliance becomes endangered.
Thus, all the logs need to be stored in the servers and systems in India.
4. Disaster Recovery
The Company must be having a Disaster Recovery (DR) site for the payment system data in India only. If the Company is having a typical local data storage server or a cloud-based server and the DR site server is located or hosted outside India, the Company shall be held responsible for breaching the regulatory compliance.
5. Application Development Life Cycle
The Development, Testing and application hosting on the Production environment must be done on the servers in India only. Any data related to the payment system, whether in the development, testing, pre-production or production must be stored in India in order to ensure compliance with the RBI guidelines.
