Knowledge Center / RBI System Audit (SAR)
Reserve Bank of India · India

RBI System Audit Report (SAR) & Data Localisation

Annual system audit and payment-data localisation assurance for payment system operators.

Authorised Payment System Operators (PSOs) must undergo an annual System Audit and submit a System Audit Report (SAR) to RBI, performed by a CERT-In empanelled auditor. Separately, RBI’s April 2018 directive on Storage of Payment System Data requires that payment data be stored only in India, with compliance confirmed through a board-approved SAR.

Who must comply

  • Authorised Payment System Operators — card networks, payment aggregators, PPI issuers, ATM networks and white-label ATM operators, and similar entities.
  • Any entity that processes/stores payment system data in India under RBI authorisation.

System Audit scope

AreaWhat is assessed
Information securityGovernance, policies, access control, encryption, monitoring
Application & infrastructureSecure configuration, VAPT, patching, resilience
Data storage & localisationPayment data stored only in India; foreign-copy purge (where applicable)
Incident managementDetection, response and RBI/CERT-In reporting
Business continuityBCP/DR arrangements and testing

Data localisation

RBI requires the entire payment data of transactions processed in India to be stored only in India. Where transaction processing occurs abroad, the data must be brought back to India and any foreign copies purged within the stipulated time. The System Audit independently confirms this.

Process

  1. Scope the payment systems, data flows and infrastructure.
  2. Verify data-localisation (storage location and foreign-copy purge).
  3. Conduct the system audit, VAPT and controls review.
  4. Document findings and remediate.
  5. Obtain board approval and submit the SAR to RBI within timelines.
  6. Maintain evidence and repeat annually.

Evidence checklist

  • Payment-system architecture and data-flow diagrams.
  • Data-localisation evidence (storage in India; foreign-copy purge records).
  • VAPT and application/infrastructure security reports.
  • Incident-management and RBI/CERT-In reporting records.
  • BCP/DR test evidence.
  • Board-approved System Audit Report (SAR) and RBI submission proof.
How CyberSigma helps
CyberSigma is CERT-In empanelled — we perform your annual System Audit, verify payment-data localisation, run VAPT, and deliver a board-ready SAR for submission to RBI.

Frequently asked questions

Who can perform the RBI System Audit (SAR)?
A CERT-In empanelled auditor must perform the System Audit and issue the SAR. CyberSigma is CERT-In empanelled.
What is payment data localisation?
RBI requires the entire payment data of transactions processed in India to be stored only in India; the SAR independently confirms this.

Need help with RBI System Audit (SAR)?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.