The central bank said that while there is no bar on the processing of payment transactions outside India, the PSOs will have to ensure the data is stored only in India after the processing.
The Reserve Bank of India (RBI) on June 26 issued clarifications on certain implementation issues sought by Payment System Operators (PSOs) on the 'Storage of Payment System Data' regulations.
In a circular issued on April 06, 2018, the central bank had advised all system providers to ensure that within a period of six months, the entire data relating to payment systems operated by them is stored in a system only in India.
As per the latest clarifications, while there is no bar on the processing of payment transactions outside India, the PSOs will have to ensure the data is stored only in India after the processing.
In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India. The data stored in India can be accessed for handling customer disputes, whenever required.
The payment system data may be shared with an overseas regulator if required, but with the approval of RBI.
The data storage norms will be applicable to all banks operating in India as they are participants in the payments system such as RTGS, NEFT, NPCI and card schemes. There will be some exceptions though. Some banks, especially foreign, that had been permitted to store the banking data abroad may continue to do so.
However, in respect of domestic payment transactions, the data shall be stored only in India. For cross border payment transactions, the data may also be stored abroad.
The data stored domestically must include end-to-end transaction details and information related to payment or settlement transaction collected or processed as part of a payment. This may include information such as customer name, mobile number, email, Aadhaar number, PAN number; payment sensitive data such as customer and beneficiary account details; payment credentials such as OTP, PIN, Passwords, among other things.For cross-border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component can also be stored abroad, if required.