Home

Guidelines for Storage of Payment Data

July 20, 2021

In a recent development, the Reserve Bank of India (RBI) barred American Express Banking Corp. and Diners Club International Ltd. from onboarding new customer from May 01, 2021. The order has been passed by RBI due to non-compliance with its directions and guidelines on the Storage of Payment System Data.

Storage of Payment System Data- RBI

With the advancement in technology and a drastic increase in digital payments, there is a significant increase in the data being shared through such digital transactions. There is a need for supervision by authorities to safeguard the access and storage of such data.  In order to have unrestricted supervisory access to the data stored by such global players, the Reserve Bank of India (RBI) issued guidelines[1] on April 6, 2018 on Storage of Payment System Data.

OBJECTIVE

Under these guidelines, all the Payment System Providers, banks functioning as operators of a payment system, intermediaries, payment gateways etc., were mandated to store all the data relating to payment systems only in India. The primary objective behind issuing such guidelines was to reduce the risk of a data privacy breach relating to the information on payments and customer data. The guidelines also state that all the Payment System Providers have to submit a System Audit Report (SAR) updating about the progress on the implementation of the directions issued. The SAR had to be submitted with the RBI by December 31, 2018

DATA REQUIRED TO BE STORED

According to the FAQs released by RBI on the Storage of Payment Data[2], the following data needs to be stored in India –

  1. End-to-end transaction details
  2. Information pertaining to payment or settlement transaction that is gathered/transmitted processed as part of a payment message/instruction.

Including –

  • Customer data (Name, Mobile Number, Email, Aadhaar Number, PAN number, etc. as applicable);
  • Payment sensitive data (customer and beneficiary account details);
  • Payment Credentials (OTP, PIN, Passwords, etc.); and,
  • Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).

All the Payment System Providers were directed to comply with the directions issued by the RBI within a period of six months from the date of issue of guidelines, i.e. April, 06 2018 and report compliance of the same to the RBI by October 15, 2018.

In light of the same, the RBI has in an order[3] passed on April 23, 2021 barred American Express Banking Corp. and Diners Club International Ltd. from onboarding new customer from May 01, 2021. The order has been passed by RBI due to non-compliance with the directions on Storage of Payment System Data. However, the ban imposed by RBI will not affect existing customers[4]. The American Express and Diners Club are Payment System Operators who are authorised under the Payment and Settlement Systems Act, 2007. The order passed by RBI constitutes the first set of penalties meted out for non-compliance[5].

CONCLUSION

The order passed by RBI barring entities from onboarding new customers on account of legal non-compliances is a welcome decision towards ensuring strict compliance with the Storage of Payment Guidelines issued by RBI. However, it is important for the Payment Service Providers to take immediate action and ensure compliance with the directions issued by RBI and to store all such customer and payment related data only in India to avoid any unnecessary regulatory repercussions.

[1] Guidelines on Storage of Payment Data, RBI, available at, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244

[2] FAQ on Storage of Payment Data, RBI, available at, https://m.rbi.org.in/Scripts/FAQView.aspx?Id=130

[3] Press Release, RBI, available at https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=51471

[4] RBI Restricts American Express, Diners Club From Enrolling New Customers From May 1, NDTV, available at < https://www.ndtv.com/business/rbi-restricts-american-express-diners-club-from-enrolling-new-customers-may-1-onwards-2420540>

[5] Total Ban: RBI restricts Amex and Diners Club from acquiring new customers, available at, https://www.financialexpress.com/industry/banking-finance/total-ban-rbi-restricts-amex-diners-club-from-acquiring-new-customers/2239158/

Related Posts

MASTERCARD BANNED FOR VIOLATING DATA LAWS IN INDIA

RBI GUIDELINES FOR SYSTEM OF SECURITY CONTROLS FOR DIGITAL PAYMENTS

For more information please contact us at : info@ssrana.com