Handling of Personal Financial Data by Payment Gateways

August 1, 2025
Handling of Personal

By Anuradha Gandhi and Rachita Thakur

What is a ‘Payment Gateway’?

On March 17, 2020, the Reserve Bank of India (hereinafter referred to as ‘RBI’) released ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’ (hereinafter referred to as ‘PA & PG regulations’).[1] These regulations defined Payment Gateways (hereinafter referred to as ‘PGs’) as intermediary entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

How do Payment Gateways handle User data?

How does Personal Data Flow through PGs?[2]

  • Placing of Order – The Customer selects an item to order on the merchant’s website or app. At checkout, the customer provides her payment details including information related to credit card, debit card, UPI, mobile wallet, net banking based on the preferred mode of payment.
  • PG encrypts the Payment Data – After receiving the payment data, the PG encrypts the data based on prescribed standards. Encryption is paramount for safeguarding sensitive information. During transmission, robust cryptography and security protocols like Transport Layer Security Protocol version 1.3 should be used for cardholder data. This significantly hampers hackers from intercepting and misusing the information.
  • Data flows from the PG to Customer’s Bank – After the data is encrypted, the payment gateway forwards the encrypted data to the merchant’s bank which further forwards it either to card networks or UPI provider based on the mode of payment selected. It is then transmitted to the customer’s bank for verification of details and sufficient funds.
  • Authorizing the transaction – After verifying the relevant details, the customer’s bank either approves or declines the transaction. This confirmation is forwarded to the merchant’s bank by the customer’s bank through the PG.
  • Post approval data flow – If the customer’s bank approves the transaction, the funds are transferred to the merchant’s bank. The PG communicates the successful transaction to the merchant and the custom receives the order confirmation.

Does a PG store your personal information?[3]

Financial intermediaries like PAs and PGs are subjected to similar data storing regulations as Payment System Operators (hereinafter referred to as ‘PSOs’)[4]. On April 6, 2018, RBI had released guidelines on Storage of Payment System Data (hereinafter referred to as ‘Storage Rules’).

Data Privacy Principles recommended for PGs:

As per the Storage rules, a PG is recommended to adhere to the following compliances:

  • Data Localization – It is advised that entire data relating to payment systems operated by PGs are stored in a system only in India.
  • What data can be stored? – Data related to full end-to-end transaction details, information collected, carried and processed as part of the message or payment instruction can be stored by the PGs.
  • What data cannot be stored? – PGs should not store Customer card credentials.[5]

Further, as per international standards, PGs should only store cardholder data when it’s absolutely necessary for a specific business purpose. Crucially, sensitive authentication data, such as CVV numbers, must never be stored after a payment has been authorized. Clear data retention policies are essential, outlining how long data will be kept and ensuring secure deletion methods once it’s no longer needed.

Sectoral Regulations which governed PGs prior to the Data Protection Framework

 

  1. PGs under Information Technology Framework, 2000The Information Technology Act, 2000 (hereinafter referred to as ‘IT Act’)[6] and subsequent rules lay down an extensive governance framework for intermediaries. Section 2(w) of the IT Act include ‘online payment sites’ within the definition of an intermediary for the purpose of the information technology framework.The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as ‘SPDI Rules’)[7] lays down an extensive framework pertaining to reasonable security measures to be adopted by intermediaries. Section 3(ii) of the SPDI rules classifies financial information such as Bank account, credit card, debit card or other payment instrument details as ‘sensitive personal data’. Therefore, PGs shall be classified as ‘intermediaries’ under the Information Technology Framework.
  2. PGs under the RBI regulations released in 2020RBI’s PA & PG regulations define PGs as ‘financial intermediaries’. It lays down certain mandatory guidelines for Payment Aggregators (hereinafter referred to as ‘PAs’) and prescribes the same guidelines for Payment gateways allowing them to adopt the same as best practices.RBI further recommends all PSOs, PAs, and PGs to comply with Payment Card Industry Security Standard Council’s (hereinafter referred to as ‘PCI SSC’) Data Security Standards (hereinafter referred to as ‘PCI DSS’). While it is mandatory for PSOs and PAs, it remains discretionary for PGs who may comply with these standards as measure of best practices. PCI SSC is an international body which prescribes security standards for data protection to enhance global payment account data security from time to time. The latest Data Security Standards issued by PCI SSC is Version 4.0 released on March 31, 2022 [8]

Data Protection Obligations of PGs under these Frameworks

A PG, playing the role of a data fiduciary, shall be liable to conform to the provisions of the DPDPA along with the sectoral laws and rules such as IT Act and RBI Guidelines. Some of the main obligations of PGs would be as follows:

Consent Obligations of PGs

Under the SPDI Rules, PGs must be obligated to obtain consent of the information provider or the person concerned in writing. They shall also make sure that, before giving consent, the person concerned is aware that her personal data is being collected, purpose of the collection, recipients of the Information, name and address of the agency that is collecting the data and that is retaining the data.

Data Management by PGs

Further, under the SPDI Rules, PGs shall not retain the personal information for longer than necessary for the fulfillment of the relevant purpose of collection and usage of such information. Further, the information collected shall only be processed for the stated purpose. If necessary, PGs may share personal sensitive information only with organizations which have the same level of data protection as the PG.

Data Breach Notification

Under the Information Technology Framework, in the event of a data breach, PGs shall be required to demonstrate that they have implemented security control measures as per their documented information security programme and information security policies. Additionally, PGs will have to adhere with Indian Computer Emergency Response Team’s (hereinafter referred to as ‘CERT-In’) guidelines on reporting cyber security incidents. CERT-In prescribes a 6 hour time period for reporting of any cyber security incident. This time period starts from the point when the affected entity gains the knowledge of such incident.

Upholding the Rights of Data subjects/ principals:

  1. Right to access – PGs are obligated to permit the information providers to review their personal information upon request.
  2. Right to correction – Upon gaining knowledge that a particular personal information is inaccurate or deficient, PGs shall correct or amend such information.
  3. Right to opt out – PGs shall provide the information providers with the option not to share their sensitive personal information before collecting any data.
  4. Right to Withdraw Consent – The information provider shall have the option to withdraw its consent given earlier.
  5. Right to Grievance Redressal – PGs shall address all grievances of information providers in a timely manner. They shall designate a Grievance Officer and publish his name and contact details on its website. This Grievance Officer shall redress the grievances within one month.

Policy Disclosure Obligations of PGs

As intermediaries, PGs shall be obligated to have a privacy policy for handling of personal information including sensitive personal data. This privacy policy shall be made available to all users. The contents of such privacy policy must include:

  • Type of Personal or Sensitive data collected by the PG
  • Purpose of collection and usage of such data
  • Third Party data sharing and Personal Data disclosure policy
  • Reasonable security practices implemented by the PG

Reasonable Security Practices

PGs shall implement managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. PGs may use international standards such as IS/ISO/IEC 27001 as a measure of data protection practices. These standards shall vary upon notifications issued by Central Government from time to time. RBI also prescribes Baseline Technology-related Recommendations for Best Practices by PGs which include:

  1. Implement Comprehensive Security Risk assessment to identify risk exposures with remedial measures and residual risks.
  2. Comply with Data security standards and best practices like PCI-DSS, PA-DSS and latest encryption standards.
  3. Submit monthly cyber security incident reports with root cause analysis and preventive actions undertaken to RBI.
  4. Implement an Information Security Policy which is to be reviewed annually. This policy may include information security organizational structure, information security roles and data classification.
  5. Create an IT steering committee to assist the Executive Management in implementation of the IT strategy approved by the Board.
  6. A Cyber Crisis Management Plan shall be formulated and must include components such as Detection, Containment, Response and Recovery.
  7. Develop Payment Applications as per PCI’s Payment Application Data Security Standard (hereinafter referred to as ‘PA-DSS’).

Access Control based on Principle of Least Privilege

Under the PCI DSS, access should be strictly limited to only what’s necessary for fulfillment of an individual’s role to protect cardholder data. This means implementing a “need-to-know” basis for all personnel. PGs must establish clear security parameters and utilize role-based access control systems to define and enforce these limits effectively. Furthermore, access rights need to be reviewed every quarter to guarantee they remain appropriate and necessary for each individual.

Multi-Factor Authentication while accessing company servers

Under the PCI DSS, to maintain robust security, every user should be assigned a unique ID for system access. Additionally, password policies must be strictly enforced, requiring complex passwords that are changed regularly and prohibiting the reuse of old passwords. This multi-pronged approach helps prevent unauthorized access and strengthens overall system security.

How will the Data Protection Framework impact the operations of PGs?

Status of PGs under the Data Protection Framework, 2023

To determine the scope and applicability of the provisions of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’), it is essential to understand the role played by PGs in specific personal data transactions. A data fiduciary determines the purposes and means of collection personal information and a processor simply processes data on behalf of such fiduciary and under their instruction without deciding the purposes or core methods.[9] United Kingdom’s Information Commissioner’s Office provides guidance through illustrations for determine the data fiduciary and data processor status in practical situations.

Applying the essence of the illustrations in the case of PGs, it is clear that the merchant usually determines the purpose of data processing. The PG processes payment data on behalf of the merchant based on their instruction such as transaction authorization and fraud detection. It makes operational decisions on how to securely transmit and store data but does not decide why the data is collected. Therefore, the PGs are usually data processors for the merchant. However, exception may exist if the PG uses data beyond the merchant’s instructions for their own purposes like marketing or analytics, in which case it may considered as a data fiduciary.[10]

Additional Obligations for PGs under the DPDPA, 2023

If the scope of collection and the purpose of processing personal data is determined to be for their own purposes and beyond the instructions of the relevant merchant, the PG, to such extent shall be considered a data fiduciary. In such a case, the obligations prescribed under the DPDPA shall be applicable on the PG. DPDPA prescribed certain obligations in addition to the sectoral regulations. A brief overview of the same is as follows:

  • Upholding the Data Principal’s Right to Erasure: The PG shall be obligated to delete the personal data upon the earlier of either the data principal withdrawing her consent or if the specified purpose for the processing of personal data is no longer being served.
  • Appointing competent Personnel for Grievance redressal: Although the sectoral laws obligate the PGs to implement a Grievance redressal mechanism, under the DPDPA, a grievance redressal mechanism specific to Personal data management concerns must be established. The PG shall publish the contact details of the personnel who can answer the questions raised by the data principal on behalf of the data fiduciary. An effective mechanism to redress grievances of data principles must also be established.
  • Incomplete or Inaccurate personal data must not be the basis of any decision that may affects the Data Principal: Under the DPDPA, PGs shall ensure the completeness, accuracy, and consistency of personal data when it is likely to be used to make a decision that affects the data principal or to be disclosed to another data fiduciary.
  • Reporting of Personal Data Breach to the Data Protection Board of India: Under the DPDPA, in the event of a personal data breach, the PG shall notify the data protection board and the affected data principals about such breach in the prescribed format.

Prateek Chandgothia, Assessment Intern at S.S.Rana & Co. has assisted in the research of this article.

[1]https://rbi.org.in/Scripts/NotificationUser.aspx?Id=11822&Mode=0#A_2

[2]https://www.oflox.com/blog/how-payment-gateway-works/#How_Payment_Gateway_Works_in_India

[3]https://paytabs.com/en/what-does-a-payment-gateway-do-with-your-data/

[4]Annex 2, Para 2.3, PA & PG regulations

[5]Annex 2, Para 2.1, PA & PG regulations

[6]https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf

[7]https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=GSR313E_10511(1)_0.pdf

[8]https://datadome.co/learning-center/pci-compliance-checklist/

[9]https://www.lakshmisri.com/insights/articles/decoding-fiduciaries-and-processors-the-dpdpa-lens/#

[10]https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/how-do-you-determine-whether-you-are-a-controller-or-processor/

More Articles

  1. WIPO Global Innovation Index (GII) 2025: India Ranks 38th Globally
  2. Fssai Targets Misleading “100%” Claims: a Wake-Up Call for Food Brands
  3. Delhi Startup Policy 2025: A Bold Leap Toward a Global Innovation Hub
  4. Supreme Court’s Crackdown on Misleading Medical Advertisements: a Call for Stricter Regulations
  5. GST Rate Revisions 2025 and Their Impact on LMPC Declarations
  6. Nepal Blocks 26 Social Media Platforms in Historic Ban
For more information please contact us at : info@ssrana.com