The Reserve Bank of India (RBI) has tightened its supervision norms for payment companies that store customer data as the number of cyber-security breaches at Indian tech startups has increased in recent months.
According to a report in the Economic Times, beginning April 1, all licenced Payment System Operators (PSOs) will be required to send comprehensive “compliance certificates” to RBI twice a year, signed by their CEOs or managing directors, confirming adherence to all RBI regulations regarding payment data security and storage.
The publication, which examined a copy of the central bank’s Department of Payment and Settlement Systems (DPSS) letter sent to all PSOs on Friday, stated that the RBI has requested that these certificates be submitted on April 30 and October 31 each year for the periods ending March 31 and September 30, respectively.
These criteria are in addition to those imposed by the RBI in April 2018, when it required all PSOs to send a board-approved annual System Audit Report (SAR) by CERT-empanelled auditors.
By December 2018, payment companies were required to send a one-time compliance report with data localisation norms, which require that data relating to payments in India be stored on a server physically located in the country.
The letter issued by the central bank said “In addition to these requirements, it is hereby advised that a compliance certificate duly signed by the CEO/MD/chairman, shall be submitted on an ongoing basis at half-yearly basis…”.
It’s worth mentioning that many payment and tech startups have recently suffered data breaches. MobiKwik, based in Gurugram, was added to a list of high-profile targets that were reportedly hacked in January. Grocery e-tailer Big Basket, educational technology platform Unacademy, and payment aggregator JusPay are among the recent victims.