The Reserve Bank of India has clarified that foreign payment companies such as Mastercard and Visa can process transactions made in India outside the country but related data should be stored in country after processing.
The central bank on Wednesday issued a “frequently asked questions” document on storing data to clarify its April 2018 directive that mandated foreign firms to store their payments data within the country for “unfettered access... for supervisory purposes”. The directive did not mention if data could be processed abroad.
“In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier,” the central bank said on Wednesday. “The same should be stored only in India.”
The clarification came a week after the Ministry of Commerce and Industry said the Reserve Bank of India would look into concerns regarding its strict data localisation rules. International firms opt to store data on global servers as the requirement to store data within the country would require additional investment.
The Reserve Bank of India also said that that in case of cross-border transactions, a copy of the domestic data can be stored abroad.
The central bank said data stored in India should include end-to-end transaction details and information pertaining to payment or settlement transactions. “This may, interalia, include – customer data (name, mobile number, email, Aadhaar number, PAN number, etc), payment sensitive data (customer and beneficiary account details) payment credentials (OTP, PIN, passwords, etc.), and, transaction data (originating and destination system information, transaction reference, timestamp, amount, etc.),” it added.
The data can be shared with the overseas regulator, if required, depending on the nature or origin of transaction after obtaining its approval, the central bank said.