The Reserve Bank of India issued a directive via circular DPSS.CO.OD.No 2785/06.08.005/2017-18 on April 8, 2018, making it mandatory for all transaction data to be stored exclusively within India. As the central banking authority overseeing monetary policies, the RBI mandates unrestricted supervisory access to payment data, leading to the enforcement of this critical mandate.
Under this directive, all companies handling transactions in India, whether global or local (such as fintech companies and gateway operators), are required to store payment data exclusively within the country.
A System Audit Report (SAR) is a mandatory document for organizations, especially those handling payment data, to submit to the Reserve Bank of India (RBI) in compliance with the data localization mandate. The SAR serves as an official record that certifies the organization has complied with the requirement to store end-to-end transaction data within India
The audit must be conducted by auditors empaneled with CERT-In (Indian Computer Emergency Response Team).
The SAR includes a certification from auditors confirming the completion of the data localization activity.
The SAR should be approved by the board of the organization, indicating leadership agreement with the findings
Once the SAR is prepared, certified, and approved, it is submitted to the Reserve Bank of India, demonstrating compliance with regulatory requirements.
In times of geopolitical uncertainty, SAR audits fortify the security of financial and personal data belonging to Indian citizens. By ensuring data stays within India, these audits protect against vulnerabilities during geopolitical crises.
SAR audits help in identifying and preventing suspicious financial activities, strengthening the organization’s defenses and contributing to the global fight against illicit financial practices.
Effective IT governance is crucial for payment service providers. By identifying and addressing potential weaknesses in data storage, access management, and security protocols, SAR audits improve the overall integrity of IT governance
The SAR audit includes:
Classification of data elements, including payment credentials, transaction data, and customer information.
Diagram detailing the full transaction flow, distinguishing between data at rest and in motion.
Diagram outlining the full application architecture detailing all involved components.
Evaluation of security controls ensuring protection for payment information systems and mobile applications.
Network architecture diagram that adheres to the Network Security Policy.
Diagram explaining data retention and database architecture with retention policies.
Detailed transaction/data flow with evidence of SOPs or organizational policies.
Compliance with guidelines for backup, restoration, and disaster recovery.
Verification of security measures like encryption, masking, and database access monitoring.
Assessment of data access from outside India and adherence to access control checks.
Evaluation of management's oversight of information security with an appropriate governance policy.
Assessment of physical security, hardware change management, and adherence to an asset management policy.
HR policies regarding recruitment, training, and termination processes.
Disaster recovery capabilities and business continuity planning (BCP).
Examination of incident response policies and security incident management mechanisms.
Evaluation of controls related to system development/acquisition and adherence to Secure SDLC policies.
Controls for managing outsourcing risks, including vendor contracts and TPRM policies.
Initial findings emphasizing discoveries from the audit.
GAP Assessment Report outlining remediations for non-compliant controls.
Comprehensive report that elaborates on the final audit findings.
A letter confirming the requirements are met and that all applicable controls are fulfilled.
Stay ahead of the rapidly evolving threat landscape and ensure your data protection without overspending.
Contact now
Our deliverables cater to both technical and business audiences comprehensively.
Request Report
