RBI Mandates Domestic Storage of Payments DataSecurity Practitioners Say New Requirement Could Ease Breach Investigations
With the Facebook/Cambridge Analytica incident raising fresh concerns about privacy, the Reserve Bank of India, the nation's central bank, is requiring that payment system operators store all their data domestically.
It's unclear whether the new mandate will apply only to licensed entities, such as wallet issuers, or also to the payment gateways and intermediaries. RBI says it will reveal more details soon.
Many security practitioners and payment companies in India have lauded the move, stating that the mandate could lead to quicker resolution of breach cases.
"This means that the laws of the country can be applied to this data and the concerned provider," says Dharshan Shanthamurthy, CEO at SISA Information Security Worldwide, a global payments security firm. "It also means faster access of compromised environment to forensic investigators, which means faster containment of a breach incidents. It also means that we can use Indian laws and regulations to push the service provider to cooperate in case of forensic investigation."
Explaining the Mandate
The RBI mandate for domestic storage of all data must be met by October 15.
In explaining the mandate, the RBI states: "In recent times, the payment ecosystem in India has expanded considerably with the emergence of new payment systems, players and platforms. Ensuring the safety and security of payment systems data by adoption of the best global standards and their continuous monitoring and surveillance is essential to reduce the risks from data breaches while maintaining a healthy pace of growth in digital payments."
The RBI also notes: "It is observed that at present only certain payment system operators and their outsourcing partners store the payment system data either partly or completely in the country. In order to have unfettered access to all payment data for supervisory purposes, it has been decided that all payment system operators will ensure that data related to payment systems operated by them are stored only inside the country within a period of six months."
Paytm, India's largest mobile-first financial company, declined to comment on the mandate. Other payment platform providers, including PayPal, say they are awaiting further guidelines from RBI.
The issue of storing data domestically has been a focus in India for some time.
For example, last year, the Insurance Regulatory and Development Authority of India directed insurance companies to stop using internet servers outside India and to store all critical customer data domestically. The authority also asked insurers to take stringent measures to safeguard indigenous servers (see: India's Insurers Face New Security Mandates).
The Ministry of Electronics and Information Technology mandated that all cloud service providers that handle government data store it on servers in India.
"At a time when privacy concerns are creating ripples around the world, it is only natural for RBI to introduce this mandate. With messaging apps like WhatsApp, which has its servers in the U.S., getting in the payments space in India, RBI's mandate has come at the right time," says C.N. Shashidhar, CEO at SecurIT Consultancy.
Other Asian countries, including China, Japan and Malaysia, have similar data storage rules for companies across all verticals.
Prime Minister Narendra Modi reportedly has expressed serious concerns about data leaks and alleged manipulation of user information by global internet and social media giants. As a result, he has instructed that data sharing should be regulated and servers that house data of millions of users should be located within the country, reports the Times of India.
A key concern of the IT ministry is to prevent user data from being misused for any kind of manipulation, including for "managing" electoral processes in India. "An inquiry is already on regarding the Facebook and Cambridge Analytica episode where data may have been manipulated during polls. The government also wants to look into the other aspects related to data protection," the Times of India reported.
Until now, there were no clear guidelines of where payment data could be stored.
Now that RBI has spelled out requirements, forensic investigations of security incidents should be easier.
"In most of our forensic investigations, [data storage in other nations] was a common bottleneck as most data centers/service providers were reluctant to share data, quoting foreign jurisdiction despite having contractual obligation with the entity under investigation," Shanthamurthy says. "It had to go through multiple layer of permissions before we could gather the images or evidences thereby causing severe delays. This mandate will certainly help in bringing the fraudsters to justice."
Many payment companies use global cloud service providers that could be storing data outside India. The new mandate is expected to have greater impact on technology giants, such as Google and WhatsApp, which are launching payment services through Unified Payments Interface, a real-time payment system developed by National Payments Corporation of India.
"Obviously these companies have their servers located in the U.S.," says the vice president of a data center in India, who requested anonymity. "They will have to relook at their policy, but as far as infrastructural issues are concerned, that should not be a problem. And the six month deadline given by RBI is good enough."
Google, which has launched Tez, and WhatsApp, which is in the process of going live with UPI payments, have not commented on the mandate.
"PayPal is evaluating the guidelines, and we will work closely with ecosystem participants and relevant stakeholders to arrive at the best possible outcome for our customers," PayPal said in a statement provided to Information Security Media Group.
Making the Transition
Because India has Tier 4 Data centers, and well-known cloud providers have domestic center, relocating data to India shouldn't be too challenging, some security practitioners say.
Payment companies should consider creating next-generation security operations center to have a strong monitoring framework, security experts advise. They also advocate the use of new, stronger security authentication architectures.