RBI, in its notification ‘Storage of Payment System Data’ dated April 6, 2018, had mandated all payments system operators working in India to ensure that data related to payment systems operated by them should be stored in the country. Payment system operators had to further submit the system audit report by October 15, 2018.
Such audit needs to be conducted by Indian Computer Emergency Response Team (Ministry of Electronics and Information Technology) empaneled auditors certifying completion of compliance. RBI had noted that only some payment system operators and their outsourcing partners stored payment systems data either partly or completely in the country. This mandate is seen by some as India’s one step towards a full-fledged data protection law. Payment service providers, especially the global ones, are opposing it because they must incur huge costs.
With the deadline ending on October 15, 2018, RBI may not immediately penalise payment companies which did not meet the deadline, but they will have to submit a schedule for adhering to the mandate.
- While many payment service providers are requesting for an extension of the deadline, companies including WhatsApp, Paytm and Amazon have complied with the regulations.
- US Senators John Cornyn and Mark Warner have asked Prime Minister Narendra Modi to adopt a more relaxed stance on data localisation and have gone to the extent of warning that this mandate will badly affect American businesses in the country. However, RBI made it clear that it won’t budge from its stance.
- The consumers who are using payment gateways like Visa, Mastercard or any other gateways will not be affected by RBI’s mandate. This is because it will just be a transition between their data being stored in an overseas server to their data being stored in a local server.