Welcome to Paytm Community!

“Payments Data must be processed and stored only in India”,says One97 in support of RBI notification

It further added, “Every payment system, app, and payments platform starting now must be compliant of this regulation.

Examples: Monday, today, last week, Mar 26, 3/26/04
DO NOT post any personal or confidential information like your phone number, OTP, Order Id, Transaction ID, Paytm Wallet Number or Paytm password, transaction image, passbook history or any of your payment related details like - CVV number or card number. Any post with any personal information, illegal content, impersonation, harassment or promotions will be outrightly removed. Read the full posting guidelines here

“Payments Data must be processed and stored only in India”,says One97 in support of RBI notification

It further added, “Every payment system, app, and payments platform starting now must be compliant of this regulation. No one should be allowed to commercially launch service unless their systems are clearly only and only in India.”

One97 Communications Limited, that operates India’s popular payments gateway with brand name Paytm, strongly believes that payments data of India should be processed and stored only in India. Paytm has always stressed that critical payments data of Indians must not be allowed to go out of the country, not even for processing. We will continue complying with these guidelines in both letter and spirit.

The Indian government has taken a number of steps to provide access to financial services and to promote digital payments among our fellow countrymen. As the payments ecosystem grows, data privacy and security becomes critically important, hence it is prudent to process and store such data only within Indian territory. As a pioneer in digital payments, Paytm believes that these guidelines have come at an opportune time, as the country leapfrogs to the next level of digital inclusion.

"Europe, as well as the US, have strict norms to keep their financial data within their country. Similarly, payments data of our country must also be stored/ processed only in India and no company should be allowed to operate without adhering to this requirement. The regulator has announced a time window of 6 months to adhere to this data storage guideline, and these companies have the technology and resources to easily meet this deadline. If global tech companies want access to the Indian market, they have to abide by the regulations of our country. The data of Indian citizens is their property and no government or regulator can allow such data to be stored outside the country of origin, They cannot treat India as a digital colony." Said, T.V. Mohandas Pai, Former director of Infosys and the Chairman of Manipal Global Education.

Here are the company’s views on the importance of “Processing and Storing Payment System Data Only in India”:

1) Mandatory compliance to these guidelines to start payment operations
We strongly believe that every payment system, app, and payments platform starting now must be compliant of this regulation. No one should be allowed to commercially launch service unless their systems are clearly only and only in India. Data Localization is critical for the security of India’s payment systems. It should be implemented before beginning operations by any entity entering into payments space and not left to be addressed afterward.

2) Compliance by all is necessary for an interconnected and interoperable payments ecosystem
The Payments network is interconnected and interoperable. Breach by any player who is not complying carries potential implications on all other players who have complied with the guidelines. Therefore, it is obligatory on part of all Payment System Operators and participants to ensure compliance to this mandate at the earliest.

3) India has requisite people and technology resources to meet timelines
India is well equipped with the requisite people and technology resources to support this migration within the proposed - 6 months time period. The cost of compliance is minuscule. Adhering to these guidelines will not have any impact on the quality of services as well.

A large number of public and private entities have been processing and storing their data in India and are doing great on various fronts like fraud controls and customer service. It would be a gross underestimation and underutilization of India’s technology prowess if any company has to take sensitive data out of the country.

4) Associated Risks of Processing and Storing Data Outside India
When data is processed and stored in multiple geographies, there's a lack of clarity as to which country’s data laws will be applicable to it. Furthermore, the data is open to potential misuse as unregulated/third-parties might have access to our country’s sensitive financial data. Replicating the data back to servers in India or encrypting the same is not a trusted solution. With increasing adoption of digital payments and reliance on electronic banking ecosystem, India must have a data localization mandate to avoid data pilferage. Processing of data should also be in India as processing necessarily maintains a local cache and that is a risk.

Financial data stored in the country will give unfettered access to the regulators to audit data for faster redressal. It will further help boost customers' confidence in moving towards digital payments as they won't have to worry about their personal data being compromised.

5) Data Protection: An overview of what’s happening globally
In Europe, security of data has long been about fundamental human rights to privacy and protection. The EU is strengthening this framework by implementing General Data Protection Regulation that will be enforced starting 25th May 2018. This covers a comprehensive set of privacy and data protection, as well as rules on breach disclosures, transfer of data and redressal mechanisms.

The USA has implemented stringent data privacy and protection laws across federal and state jurisdictions. There are two key federal laws that prevent “unfair and deceptive practices”, primarily related to health care and financial institutions.

China has numerous laws covering data protection. They provide individual protection such as requiring consent, safeguarding sensitive information, and limitation on the use of data. A new Cybersecurity Law that took effect on May 1, 2017, requires companies holding critical information infrastructure (CII) to store all ‘personal information and other important data’ only within Mainland China. Moreover, no foreign company is allowed to work in China on its own and must partner with another Chinese company to render its services, thereby giving a boost to their economy.

Thereby, across the globe, there is a movement to protect critical data by processing and storing it within the respective territorial jurisdiction.

*This information is from secondary sources

6) Instances of compliance by global Internet & Fintech companies:
- In 2018, Russian communications watchdog Roskomnadzor asked Facebook to explain how it is complying with a Russian law on data localization.
- In 2017, Russia also banned Visa and Mastercard to access its financial technology and system in 2010. The country does not want to share the access to its financial data with any foreign brand and wants to promote its own payment system Mir.
- In 2014, Apple moved its servers to Mainland China in order to comply with the Data localization laws. The company had tied up with China Telecom Corp Ltd, which provided the servers on which Apple’s user data has been stored.
- In 2010, Google was asked by the Chinese government to move its servers to mainland China, owing to a massive data breach that involved hacking of Gmail accounts of a number of Chinese human-rights activists. Google had to announce its exit from the Chinese market due to the data localization directive.
*There have been more such instances globally
Sign In or Register to comment.