RBI System Audit Report for Data Localization (SAR) & Storage of Payment System Data is a compliance mandate driven by RBI to ensure appropriate security measures and data localization controls for storage of payment related data.
What is RBI System Audit Report (SAR) Data Localization Audit?
The Reserve Bank of India (RBI) issued a notification to mandate the storage of all end-to-end transaction data within India on April 8, 2018. RBI, the central banking institution, controlling monetary policies in India, requires unrestricted supervisory access to all the payment data and hence this mandate. Data Localization can be referred to as a government policy for storing the user data collected within its jurisdiction on the servers located within the country.
In today's Data Storage Technology trend, data is generally preserved in a different location for quickly available data back up for data centers. Reserve Bank of India authorizes all global and local transaction operators in India to preserve all end-to-end payment data "within the country" has been whispering in the present payment environment across the world. The authorization is relevant for every organization handling payment data – initiating from fintech firms that perform peer-to-peer payment transactions to gateway operators which are accessed globally for universal funds transactions.
Circular for Payment Operators Include the Major Items as Below:
- All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/ carried/processed as part of the message/payment instruction.
- System providers shall ensure compliance of above within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
- System providers shall submit the System Audit Report (SAR) on completion of the requirement. The audit should be conducted by CERT-IN Empanelled Auditors certifying completion of activity. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank.
Key Criteria for System Audit Report for Data Localization (SAR)
Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.
- Payments Data Elements - The auditor should check all data elements and their classification as payments or non-payments data. It should include customer data, transaction data, payment sensitive data, and payment credentials data. Each element needs to be categorized into jurisdictions and whether or not the data has been brought back to India.
- Transaction/Data Flow (For all Transaction types including cross border transactions) - The report must include a detailed diagram of the transaction and data flow. The diagram should detail the steps of how a transaction flows through the different components of the application.
- Application Architecture - A detailed diagram of the application architecture is required in the report to show the components and modules of the application.
- Network Diagram - A detailed diagram of the network architecture must show the relevant equipment for primary and disaster recovery sites including CBS, if applicable.
- Transaction processing - The auditor should check if aspects of a transaction processing are done in India and outside India. The auditor also needs to check whether the purging process and policy is defined and in accordance with the RBI guidelines.
- Activities subsequent to Payment Processing - The auditor needs to identify activities that follow the payment processing such as settlements and check if these processes are carried out in India or outside India.
- Cross Border Transactions Database Storage and Maintenance - The auditor must verify if there is a presence of cross-border transactions, whether occurring or supported in the application.
- Data Backup & Restoration - The auditor must verify if the backup and restoration of the defined payment data is compliant with the guidelines.
- Data Security - Security controls must be verified to ensure transaction data is safeguarded. This includes standard data security controls like masking, encryption, data leakage prevention, and database access monitoring.
- Access Management - If data is accessed from outside of India such as for dispute resolutions, chargebacks, customer support activities, data analytics, permission levels, and access levels granted should be in accordance with the defined processes and policies.
System Audit Report for Data Localization (SAR) Approach & Process
Xiarch is worked with the wholesome approach that deals with SAR Data Localization and we are also divided our working techniques to ensure compliance with RBi & NPCI Guidelines.
Information Gathering & Documentation Review
- A detailed questionnaire is shared with your teams and various documentation and evidences are collected on the architecture, implementation and controls to understand data flow.
- Xiarch will conduct an initial audit for understanding the infra of organization and help the organization in identifying the all the storage locations which comprise of any payment related data.
- If any payment data is identified, Xiarch will provide remediation support for complying with RBI mandate.
Report & Confirmation Letter
- As part of the final phase, we review evidence on the closure of Action points identified during the audit and share the confirmation letter that, all payment related data is residing inside India.
What We Deliver ?
Xiarch offers the Data Localization Audit service specifically addressing the RBI & NPCI. To ensure compliance with the RBI & NPCI Compliance Guidelines, our process incorporates the scoping guidelines from RBI & NPCI.
Our experts will furnish an itemized gap evaluation report with legitimate remediation steps to be taken.
Distinguish Weaknesses inside your Storage of Payment Data permitting you to proactively remediate any issues that emerge and improve your compliance act.
We also assured you that your assessments are executed by Qualified Experts.
Our group of security specialists holds industry capabilities, for example, CHECK Team Member and Team Leader, CEH, ECSA, OSCP, CISA, CISSP, and many more.
Compliance & Certification
We will help you with the Compliance & Certification process that deals with the understanding of various documentation having the implementation verification.
Xiarch is worked with the wholesome approach that deals with compliance process.
Why Xiarch ?
Xiarch is a CERT-IN Empanelled & ISO 9001:2015 | ISO 27001-2013 Licensed Cyber Security Company and IT Services Company with solutions providers in Information Security like VAPT Services, Penetration Testing Services, Vulnerability Assessment Services, Among our consumers we proudly work for Government Organizations, Fortune one thousand Companies and countless start-up companies. We are additionally Value Added Partners, Authorized Re-sellers & Distributor of Leading Web Application Security Testing Tools.
We are headquartered in Delhi and have branch presence in Gurugram, Mumbai and Chennai - India
Few Customer Testimonials
Our clients like us for our specialized abilities, administration quality and polished methodology. Sharing their great words is a delight for us.
Trusted by Thousand of Brands
Get In Touch With Us
Test the effectiveness of your own security controls before malicious parties do it for you. Our security experts are here to help — schedule a call today.
Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface digitally, physically and socially.
Certified Security Experts
Our security experts are exceptionally qualified and confirmed by CEH, ECSA, OSCP, CISA, CISSP, and numerous others.
Communication & Collaboration
After surveying the code our specialists shared the best answers to correct them. Our experts will communicate with you for any further implementations.
We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.
Free Remediation Testing
Once your team addresses remediation recommendations, Xiarch will schedule your retest at no additional charge.