Authorised Payment System Operators (PSOs) must undergo an annual System Audit and submit a System Audit Report (SAR) to RBI, performed by a CERT-In empanelled auditor. Separately, RBI’s April 2018 directive on Storage of Payment System Data requires that payment data be stored only in India, with compliance confirmed through a board-approved SAR.
Who must comply
- Authorised Payment System Operators — card networks, payment aggregators, PPI issuers, ATM networks and white-label ATM operators, and similar entities.
- Any entity that processes/stores payment system data in India under RBI authorisation.
System Audit scope
| Area | What is assessed |
|---|---|
| Information security | Governance, policies, access control, encryption, monitoring |
| Application & infrastructure | Secure configuration, VAPT, patching, resilience |
| Data storage & localisation | Payment data stored only in India; foreign-copy purge (where applicable) |
| Incident management | Detection, response and RBI/CERT-In reporting |
| Business continuity | BCP/DR arrangements and testing |
Data localisation
RBI requires the entire payment data of transactions processed in India to be stored only in India. Where transaction processing occurs abroad, the data must be brought back to India and any foreign copies purged within the stipulated time. The System Audit independently confirms this.
Process
- Scope the payment systems, data flows and infrastructure.
- Verify data-localisation (storage location and foreign-copy purge).
- Conduct the system audit, VAPT and controls review.
- Document findings and remediate.
- Obtain board approval and submit the SAR to RBI within timelines.
- Maintain evidence and repeat annually.
Evidence checklist
- Payment-system architecture and data-flow diagrams.
- Data-localisation evidence (storage in India; foreign-copy purge records).
- VAPT and application/infrastructure security reports.
- Incident-management and RBI/CERT-In reporting records.
- BCP/DR test evidence.
- Board-approved System Audit Report (SAR) and RBI submission proof.
Frequently asked questions
Need help with RBI System Audit (SAR)?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
