India’s Data Localisation for Payment Systems: Origins, evolution, and the road ahead

The RBI has introduced a series of regulations aimed at mandating the localisation of payments data to ensure its security.

According to the Reserve Bank of India's (RBI) Currency and Finance report for 2023-24, the average cost of data breaches in India reached $2.18 million in 2023. This is a 23% uptick from the previous year and 15% across the last three years. This worrying trend in the recent times has prompted the RBI to take stricter mechanisms to prevent data breaches especially with respect to sensitive financial data. One of the most sensitive forms of such financial data is payments data. Since 2018, the RBI has introduced a series of regulations aimed at mandating the localisation of payments data to ensure its security. These regulations cover areas such as the storage of payments data, the conduct of payment aggregators, and the tokenisation of card details.

This article aims to scrutinize these regulations to observe the consistency of standards mandated across these regulations and identifying any ambiguities that might exist.

The first important regulation which was the inception point of data localisation was the directive on ‘Storage of Payment System Data’ issued in 2018. It was followed by issuance of FAQs in 2019 for better clarity. This directive stated that the entirety of transaction payment data should be stored in a system ‘only in India’. This move was aimed to prevent storing of payments transaction data overseas and also give RBI access to the said data, when required. Further, the directive also allowed processing of the data overseas in limited situations but mandated that the data should be deleted abroad and brought back to India within one business day or 24 hours from payment processing (whichever is earlier) and stored in India. Moreover, for cross border transaction data generated in a transaction with a foreign and domestic component, a copy of the domestic component was allowed to be stored abroad.

The second set of regulations was the guidelines on Payment Aggregators (PAs) and Payment Gateways of 2020. These guidelines stated that PAs and merchants were not permitted to store customer card data on their databases or servers accessed by merchants. The guidelines further specified that preventive measures should be adopted to ensure that the data was not stored in infrastructure belonging to external jurisdictions, and appropriate controls should be implemented to prevent unauthorised access to the data. These guidelines were followed by a clarification in 2021, which stated that merchant entities were not allowed to store payment data, irrespective of their PCI-DSS compliance, other than a limited amount of data for transaction tracking. However, an ambiguity emerged in the clarification: while the main guidelines restricted merchants from storing customer card data, the clarification was broader, extending the restriction to all forms of payment data (which goes beyond just customer card data).

The final piece of the regulatory framework was the introduction of tokenisation. Under this framework, tokenisation replaced actual card details with a unique token, reducing the risk of fraud by limiting the exposure of sensitive card information. The tokenisation guidelines mandated that only card issuers and card networks could store actual card data, with all previously stored card data required to be purged. However, entities were allowed to retain the last four digits of the card number and the card issuer’s name for transaction tracking or reconciliation purposes.

As transactions become increasingly global, complying with localisation requirements for end-to-end transaction data can be challenging. However, the mandated localisation could be minimised to focus only on necessary vigilance standards, such as localising card data. Notably, the upcoming Digital Personal Data Protection Act of 2023 also does not impose any data localisation requirements.

Furthermore, while these regulations focus on securing financial data through measures such as tokenisation and data localisation, they introduce several practical challenges for merchants and payment processors. Notably, there is ambiguity regarding the transfer of tokens to third parties and whether tokens are subject to data localisation requirements.

Additionally, the regulation limiting the storage of the last four digits of the card number and the card issuer's name for transaction tracking may not align with the needs of merchants, who often require additional information, such as customer names, BIN (Bank Identification Number) details, and card network names, to enhance customer service and implement fraud detection measures. Restricting access to these additional details could hinder efforts to combat fraud and identify potential risks in the payment ecosystem. Therefore, expanding the permissible data storage to include BIN and card network information would be beneficial.

Lastly, the rationale behind restricting regulated entities like Payment Aggregators from storing customer card data, especially when they are directly overseen by the RBI, is unclear. A more detailed explanation of this policy would help clarify its impact on the payment ecosystem and the role of PAs in protecting consumer card data.