Mandate by RBI Regarding On-Soil Storage of Payments Data – Here Is What You Need to Know
Technology vendors across the world, including Microsoft, Amazon, and Oracle, are stepping up efforts in the recent years to enable companies to store data, applications, platforms and infrastructure virtually – affirming how safe and secure data is in the cloud. But several data breaches and scandals in the past year portray an entirely different picture – the Facebook scandal where data of over 87 million users were misused or the ATM malware attack aka “jackpotting” in the US where cyber criminals were able to steal more than $ 1 million – the list is actually endless. In the wake of such privacy-related events, the Reserve Bank of India (RBI) has announced a mandate that requires all payment system operators in the country to store all their data domestically.
What the Mandate Says
Post the demonetization drive; the digital payments industry has witnessed a massive surge, with a growing number of foreign players looking to foray into India and cash-in on the growing opportunity. According to Credit Suisse, Digital payments in India is expected to reach $1 trillion by 2023. Such dramatic increase in digital transactions also means that the financial and personal data of millions of Indian users is being stored outside the country, which is a cause of concern for payment regulators. With such uproar in the industry, RBI announced the mandate for domestic storage of all data that must be met by 15th October 2018. RBI mentions “In recent times, the payment ecosystem in India has expanded considerably with the emergence of new payment systems, players and platforms. Ensuring the safety and security of payment systems data by adoption of the best global standards and their continuous monitoring and surveillance is essential to reduce the risks from data breaches while maintaining a healthy pace of growth in digital payments.”
With only certain payment system operators storing payment data in the country, supervision of data has been a tough task. In order to have seamless access to all payment data – including “full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction”, for supervisory purposes, the new mandate will require all payment data to be stored only inside the country. This will ensure better monitoring and enable “unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem”.
How Will the Mandate Benefit?
Although the mandate has come as a surprise to many operators – especially foreign players who store all their data overseas – it is only going to benefit them in myriad ways.
- Increased visibility: Until now, there were no clear guidelines on where operators could store payment data. While several operators stored the data domestically, several stored data across several global data centers, and several others in the cloud. In the absence of any guideline and with no standardization in data storage, tracking data and knowing where it resides is almost impossible. Now that the RBI has laid out the requirements, end-to-end visibility on the entire payment chain can be achieved.
- Easier accessibility: When data generated by payment transactions is stored across servers located internationally (or in private clouds) where data regulations and guidelines are strict, getting access is not easy. Although the data might belong to you, the sovereign power of the country where the data is stored can determine whether Indian enforcement agencies can access data or not. The new mandate will allow seamless access to the data while ensuring reliability and consistency.
- Quicker investigation: With payment data being stored across nations, investigation of security incidents is a major challenge since most data centers are unwilling to share any information. The investigation of an incident has to go through multiple levels of authorizations and approvals which only delay the end result. The mandate is set to make security incident investigation easier and quicker, helping authorities to bring criminals to justice sooner.
- Security of critical payment data: With several global companies like Google, Mastercard, Visa, Amazon and WhatsApp are operating payment services in India, there is high likelihood that data will be stored in data centers outside India which will be difficult to track, manage and safeguard. The new mandate will compel these companies to relook into their data management policies and ensure they comply with the requirements by October 2018 in order to ensure advanced security and privacy of critical payment data.
With India emerging as a huge digital economy, opening doors for global players to operate on domestic soil, the RBI mandate comes at the right time to protect consumer interests. PM Narendra Modi has also “expressed serious concern over data leaks and alleged manipulation of user information by global internet and social media giants”. The new mandate will ensure that data of millions of users is located within India for improved visibility, accessibility, transparency and security and faster resolution of security incidents.