Quick Answer
Data localization in India under the Reserve Bank of India refers to the April 6, 2018 directive on Storage of Payment System Data, which requires payment system operators to store the complete end-to-end transaction data only in systems located within India. The rule covers banks, non-bank prepaid payment instrument issuers, card networks, and authorised payment system operators. What the 2018 directive actually says RBI's circular DPSS.CO.OD.No.2785/06.08.005/2017-2018 directs all System Providers and System Participants to ensure that the entire data relating to payment systems operated by them is stored in a system only in India. This includes the full end-to-end transaction details, payment-related information, and any data collected, carried, or processed as part of the payment instruction. Foreign processing is permitted only for the foreign leg of a cross-border transaction, and that data must be deleted from foreign systems and brought back to India within 24 hours of payment processing.
Data localization in India under the Reserve Bank of India refers to the April 6, 2018 directive on Storage of Payment System Data, which requires payment system operators to store the complete end-to-end transaction data only in systems located within India. The rule covers banks, non-bank prepaid payment instrument issuers, card networks, and authorised payment system operators.
What the 2018 directive actually says
RBI's circular DPSS.CO.OD.No.2785/06.08.005/2017-2018 directs all System Providers and System Participants to ensure that the entire data relating to payment systems operated by them is stored in a system only in India. This includes the full end-to-end transaction details, payment-related information, and any data collected, carried, or processed as part of the payment instruction. Foreign processing is permitted only for the foreign leg of a cross-border transaction, and that data must be deleted from foreign systems and brought back to India within 24 hours of payment processing.
What is in scope
| Data category | Storage location | Notes |
|---|---|---|
| Customer data (name, mobile, email, Aadhaar, PAN) | India only | Includes KYC-related fields used in the payment flow |
| Payment-sensitive data (PIN, OTP, CVV, magnetic stripe) | India only | Must not persist abroad even for processing |
| Transaction data (amount, originator, beneficiary, timestamp) | India only | End-to-end record of each instruction |
| Foreign leg of a cross-border transaction | May be processed abroad | Foreign-side copy must be deleted and a copy retained in India within 24 hours of processing |
Need help with cloud?
Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your needs and provide actionable recommendations — no obligation, no cost.
Who must comply
- Scheduled Commercial Banks operating payment systems
- Card networks such as Visa, Mastercard, RuPay, American Express, Diners
- Prepaid Payment Instrument issuers including wallet operators
- UPI participants including banks and Third Party Application Providers
- Payment aggregators and payment gateways authorised by RBI
- Cross-border remittance operators authorised under FEMA
Complementary sector mandates
RBI's payments-data rule is not the only Indian localization requirement. Other sectoral regulators have layered their own obligations:
- IRDAI — Insurers and intermediaries must hold policyholder data, claims, and underwriting information in data centres located in India under the IRDAI Information and Cyber Security Guidelines and related circulars.
- SEBI — Market infrastructure institutions and intermediaries are expected to keep regulatory data within Indian jurisdiction and to use Indian data centres for critical systems, with cloud usage subject to SEBI's framework on adoption of cloud services.
- MeitY — The DPDP Act 2023 permits cross-border transfers subject to government notification of restricted countries. Sectoral localization rules continue to apply in parallel.
- National Health Authority — Health data shared through the Ayushman Bharat Digital Mission ecosystem follows storage and processing controls notified for the Health Data Management Policy.
Practical implications and common pitfalls
The most common compliance gaps Opsio sees in India relate to disaster recovery, analytics warehouses, and SaaS subprocessors:
- Cross-region DR — replicating to a region outside India to satisfy RTO targets is not permitted for in-scope payment data. Use Indian secondary regions (for example AWS Hyderabad as DR for Mumbai, or Azure Pune as DR for Central India).
- Global analytics platforms — exporting transaction data to a US- or EU-hosted analytics warehouse breaches the directive. Build aggregation pipelines within India and export only fully anonymised, non-reversible aggregates if needed.
- Fourth-party SaaS — fraud-scoring, communication, and CRM SaaS used inside the payment flow can quietly persist transaction context abroad. Validate every sub-processor against the directive.
- Encryption keys — key material protecting in-scope data should be hosted in Indian regions of the chosen key management service to avoid extraterritorial access.
- Audit evidence — payment system operators must submit a System Audit Report from a CERT-In empanelled auditor confirming compliance.
For a region-comparison view of where to host workloads, see our note on AWS vs Azure vs GCP. For DPDP-level rules on cross-border transfer that sit alongside RBI's payments rule, see what the DPDP Act 2023 is applied to.
How Opsio helps
Opsio's India team designs payment-grade cloud architectures that keep regulated data inside Indian AWS and Azure regions while still meeting RTO, RPO, and operational resilience targets. Our managed AWS services include India-region landing zones, KMS hosted in Mumbai or Hyderabad, and CERT-In aligned logging so that payment system operators can produce the System Audit Report evidence RBI requires.
Frequently Asked Questions
Does the RBI directive ban cross-border processing entirely?
No. It restricts storage of in-scope payment data to India and permits foreign processing only for the foreign leg of a cross-border transaction, with the foreign-side data deleted and a record retained in India within 24 hours of processing.
Can a copy of the data be kept abroad for fraud monitoring?
No. The directive prohibits storage of in-scope payment system data outside India. Fraud monitoring on the data must be executed from systems located in India.
What about backups and DR sites?
Backups, snapshots, and DR replicas containing in-scope data must remain in India. Use Indian secondary regions for cross-region DR and validate that backup vaults are India-bound.
How does this interact with the DPDP Act?
The DPDP Act introduces a general framework for cross-border transfers of personal data subject to government notification. Sector-specific RBI, IRDAI, and SEBI localization rules continue to apply on top of DPDP and are typically stricter.
Does the rule apply to UPI?
Yes. UPI is an RBI-authorised payment system, and all participating banks and Third Party Application Providers must comply with the storage-in-India requirement for transaction data.
Read more about cloud services from Opsio.
Written By
Country Manager, Sweden
Johan leads Opsio's Sweden operations, driving AI adoption, DevOps transformation, security strategy, and cloud solutioning for Nordic enterprises. With 12+ years in enterprise cloud infrastructure, he has delivered 200+ projects across AWS, Azure, and GCP — specialising in Well-Architected reviews, landing zone design, and multi-cloud strategy.
Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. Content is reviewed quarterly for technical accuracy and relevance to Indian compliance requirements including DPDPA, CERT-In directives, and RBI guidelines. Opsio maintains editorial independence.