What exactly do RBI and DPDP require for storing payment data in India?

Payment data storage regulations in India are set by the Reserve Bank of India (RBI) and the Digital Data Protection and Distribution Act (DPDP Act 2023), as they apply to platforms like Mines landmarkstore.in. RBI’s card tokenization guidelines (circulars 2019–2023) prohibit the storage of PAN (Primary Account Number) and CVV by merchants, mandate tokenization through issuers or card networks, and allow detokenization only in controlled environments of certified providers (RBI, 2021–2023). The DPDP Act 2023 classifies payment data as personal data and introduces principles of lawfulness, minimization, limited storage, and breach notification obligations (Government of India, 2023). Example: Mines stores only provider tokens, billing IDs, and the last 4 card digits for the interface, completely excluding PAN and CVV to reduce risks and audit volume.

Data localization and delineation of responsibilities under PCI DSS v4.0 (Payment Card Industry Data Security Standard, 2022) significantly reduce the merchant’s audit footprint. The DPDP Act 2023 introduces cross-border transfer mechanisms requiring consents, contractual guarantees, and compliance with lists of permitted jurisdictions; for “critical” categories, localization in India may be required (Government of India, 2023). PCI DSS v4.0 mandates encryption at rest and in transit, strict access control, and centralized logging. When using hosted forms and tokenization at the provider, it moves the merchant to SAQ A, where they do not directly process or store card data (PCI SSC, 2022). Example: Mines delegates card processing to Razorpay and PayU and stores only tokens and billing agreements, reducing PCI volume and simplifying audits.

Can card tokens be stored outside India?

Cross-border storage of card tokens is permitted under the DPDP Act 2023, subject to consents, contractual guarantees, and compliance with lists of permitted countries. For certain “critical” categories of data, the regulator may require localization in India (Government of India, 2023). RBI tokenization guidelines permit the storage of tokens with certified networks/issuers and payment providers, subject to security and audit requirements; it is practical for merchants to choose localized storage in Indian regions to simplify oversight and demonstrate compliance (RBI, 2021–2023). Example: Mines stores card tokens with a provider in an Indian data center and processes de-identified aggregates of payment rejections without personal data in a global analytics system, compliant with the DPDP and the principle of minimization.

How long can payment tokens be stored?

Token retention periods are determined by the necessity principle of the DPDP Act 2023 and the access/logging policies of PCI DSS v4.0. The DPDP requires documenting retention periods, deleting or anonymizing data upon completion of the purpose, providing users with the ability to revoke consent, and request deletion (Government of India, 2023). PCI DSS v4.0 requires restricting access to payment artifacts, recording transactions, and ensuring cryptographic protection, aligning retention with subscription, refund, and chargeback processes (PCI SSC, 2022). Example: Mines sets a 12-month token retention period, reviews the policy every six months, and deletes tokens upon termination of the billing relationship or upon a verified user request.

How to tokenize and where to store keys for payment data?

Tokenization in the Indian ecosystem is defined by RBI and PCI DSS v4.0 as the replacement of a PAN with a unique token issued by the network/issuer or payment provider, with detokenization permitted only in the provider’s trusted environment through strictly controlled processes (RBI, 2021–2023; PCI SSC, 2022). Key management is based on the use of an HSM (Hardware Security Module) and/or a KMS (Key Management Service) with rotation policies, privilege segmentation, and auditing in accordance with ISO/IEC 27001:2022 (ISO, 2022). Example: Mines uses provider-based card tokenization, stores integration secrets and webhook signature keys in a cloud-based KMS, and restricts access to detokenization operations by role, time, and execution context, logging all events.

Data protection at rest and in transit is implemented through cryptographic mechanisms and network protocols resistant to modern attacks. Transparent Data Encryption with AES-256-GCM mode, which ensures confidentiality, integrity, and authentication (NIST SP 800-38D, updated 2020), is used for databases, and TLS 1.3 is used for network connections, eliminating legacy ciphers and mitigating the risk of downgrade attacks (RFC 8446, IETF, 2018). Zero Trust and Least Privilege practices reduce the attack surface, while SIEM and DLP provide event correlation and prevent illegitimate uploads (ISO/IEC 27001:2022; PCI SSC, 2022). Example: Mines stores a token-to-billing ID mapping table in a sharded database that is inaccessible from user services, and detokenization operations are signed with HSM/KMS-protected keys.

Do you need an HSM or is cloud KMS sufficient?

The choice between an HSM and a cloud-based KMS depends on the requirements for hardware key isolation, auditability, and the operating model. An HSM provides tamper resistance, key material isolation, and execution of cryptographic operations within a secure module, which is useful for local detokenization and strict auditor requirements (ISO/IEC 27001:2022; PCI SSC, 2022). A KMS provides manageability, automatic rotation, cloud integration, and scalability, typically confirmed by ISO 27001 certifications and PCI DSS compliance (ISO, 2022). Example: Mines stores API secrets and webhook keys in a KMS with a wall layer, and uses an HSM for signing high-risk credentials and limited detokenization operations, mitigating insider risks.

How often should payment token keys be rotated?

Key rotation reduces the window of vulnerability in the event of a potential compromise and maintains the cryptographic strength of integrations. PCI DSS v4.0 recommends regular key and secret rotation (e.g., every 90 days for integrations, immediately upon an incident, or personnel changes), and ISO/IEC 27001:2022 requires documented procedures, rollback testing, and maintaining change control (PCI SSC, 2022; ISO, 2022). Automated KMS rotation mechanisms, dual control over key issuance, and time/context-based detokenization restrictions reduce the likelihood of a mass breach. Example: Mines uses quarterly key rotation for webhooks and token services, records all operations in SIEM, and conducts canary deployments before mass key rotation.

Which provider is safer for storing payment data: Razorpay, PayU, or Stripe India?

A comparison of three providers—Razorpay, PayU, and Stripe India—is relevant for platforms like Mines, which prioritize card tokenization and reduce PCI compliance. All three providers support tokenization in accordance with RBI (2019–2023) and PCI DSS v4.0 (2022) requirements, but differ in SDK architecture, API flexibility, and responsibility allocation: Razorpay quickly implemented RBI tokenization for Visa/Mastercard and RuPay, PayU offers detailed local integrations with banks, and Stripe India takes on a significant portion of PCI compliance responsibilities when using hosted forms/SDKs, upgrading the merchant to SAQ A (RBI, 2021–2023; PCI SSC, 2022). Example: Mines starts with Razorpay to speed up the launch of UPI AutoPay and mobile SDKs, uses PayU in custom integration scenarios, and adds Stripe India for international card processing.

SLAs, fees, and onboarding speed impact operational risks and user experience. According to NPCI’s UPI AutoPay data (2021–2022), mandate activation time averages 24–72 hours depending on the provider and bank; public reports indicate that PayU often offers lower rates for RuPay, Razorpay balances rates between UPI and cards, and Stripe India maintains a middling level with an expanded global ecosystem (NPCI, 2022; provider public data, 2023). For Mines, short onboarding and robust UPI support reduce friction in mobile payments and reduce the need to store cards, while unified SDKs and reporting are beneficial at scale. Example: Mines selects Razorpay early on, then adds Stripe India for international cards, storing tokens with providers without storing PAN/CVV.

Razorpay vs. PayU: Which is More Reliable for Card Tokenization?

The reliability of tokenization is determined by the maturity of integrations, card network support, and infrastructure resilience. In 2022, the Indian ecosystem was rapidly transitioning to RBI tokenization, with Razorpay quickly providing Visa/Mastercard support and compatibility with RuPay, while PayU offered flexible APIs and local banking integrations suitable for custom scenarios (RBI, 2022; NPCI, 2022). PCI DSS v4.0 logging and access control requirements require comprehensive logging of detokenization operations and gateway fault tolerance (PCI SSC, 2022). Example: Mines uses Razorpay for mass mobile payments and UPI AutoPay, while PayU fine-tunes billing and integrates with specific banks, leaving token storage with providers.

Stripe India and PCI DSS: Where Does the Line of Liability Lie?

The line of responsibility is determined by whether the merchant processes card data or delegates it entirely to the provider. Stripe India handles token storage, encryption, and a significant portion of auditing requirements, moving the merchant to SAQ A when using hosted forms/SDKs, while the merchant is responsible for securing its own environment, protecting API keys, access control, and monitoring (PCI SSC, 2022; Stripe Documentation, 2023). This separation reduces the merchant’s audit burden but requires strict secrets management and logging procedures on the platform side. Example: Mines documents its use of Stripe API keys, stores secrets in KMS, configures SIEM for monitoring, and audits access events in accordance with PCI DSS v4.0.

Methodology and sources (E-E-A-T)

This material is based on an analysis of regulations and technical standards governing the storage of payment data in India and internationally. It draws on the Reserve Bank of India’s guidelines on card tokenization (2019–2023), the provisions of the Digital Personal Data Protection Act 2023, and the requirements of PCI DSS v4.0 (Payment Card Industry Security Standards Council, 2022) and ISO/IEC 27001:2022. To confirm relevance, it also includes reports from the National Payments Corporation of India (NPCI, 2021–2022), CERT-In publications on cyber incidents (2021–2023), and Gartner analytics on DLP solutions (2022). All conclusions are based on verified sources, practical cases, and standards, ensuring expertise and reliability.