Amid the rising cybersecurity threats and breaches in India, the Reserve Bank of India (RBI) has tightened its supervision norms over payments companies storing customer data. All the payment system operators (PSOs) will now have to submit detailed “compliance certificates” to the central bank twice a year from April 1, 2021, onwards.
The documents have to be signed by their chief executive officer (CEOs) or managing directors (MDs), confirming the adherence to all the RBI regulations around security and storage of payment data.
RBI’s department of payment and settlement systems (DPSS), on Friday (March 26), issued a letter to all the PSOs operating in India, asking them to submit their certificates on April 30 and October 31 for the period ending March 31 and September 30, respectively.
Along with this, the Indian PSOs will also have to submit board-approved system audit report (SAR) by CERT-empanelled auditors. The central bank had introduced this provision back in April 2018 and it will continue in practice, even as the PSOs take a step to ensuring proper certifications.
India’s Financial Data At Risk With Over 200 Mn Users Compromised In 2021
The new specification comes at a time when several Indian payments and tech startups across the sectors have witnessed data leaks and cyber attacks. Some of these companies are grocery delivery giant BigBasket (acquired by Tata), edtech startup Unacademy, crowdfunding platform Impact Guru and many others.
In what is seemingly India’s biggest data leak in recent times, sensitive data of about 100 Mn (10 Cr) cardholders was leaked. This data was linked to Bengaluru-headquartered mobile payment solutions company Juspay. Screenshots of the leaked database, accessed by Inc42, reveal that it contains a user’s card brand (VISA/Mastercard), card expiry date, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID and merchant account ID, among several other details.
In all, over 16 fields of data relating to their payment cards have been leaked for at least 20 Mn (2 Cr) users, as conceded by Juspay, a subset of the total number of user records (10 Cr) that have been leaked.
Another Indian payments company Mobikwik’s database of 110 Mn (11 Cr) users has been available on the dark web since January 2021. The 8.2 TB of database included not only personal and financial details of individual customers but also details of merchants that have procured loans from the company. However, Mobikwik has continued to deny any breach, with CEO Bipin Preet Singh also laying the blame on users.
RBI Strips Merchants Off From Customer Data Storage
Taking a note of such breaches, the RBI has also prohibited merchants like Amazon, Microsoft, Netflix, Flipkart, Zomato and others to store customers’ credit card credentials “and related data” on their servers under the new payment aggregators and payment gateway (PA-PG) norms that come into effect this year. The guidelines also bar payment aggregators from storing customer card credentials within their database or the servers assessed by the merchants.
RBI has decided to not allow merchants to store such financial data as they would anyway not be answerable in case of any security breaches since the norm pertains to payment aggregators and gateways. The new guidelines will treat all payment aggregators as regulated entities under the Payment and Settlement Systems Act (2007) under the central bank’s direct supervision.