Aadhaar / UPI / RuPay - News and Discussions

Ashwin

Agent_47
Staff member
Administrator
Nov 30, 2017
7,776
13,615
Bangalore
Aadhaar breach is serious, but bigger challenge is a data and privacy protection law

It takes, some times, a negative event to bring important issues on the debating table. The 4 January 2018 report alleging data breach of Aadhaar brings the larger issue of data protection, privacy and their protection back in public discourse.

Nobody in her right mind would be comfortable with her data, now extracted by the authority of law, being compromised, sold, shared, used, circulated, downloaded. Whatever the financial cost, howsoever high the regulatory walls, a breach is bad enough. That the data of Indian residents could be done in such a casual manner — a price of ₹500 for the data, ₹300 for a software that reads that data and a time of 10 minutes — makes it worse. The report says the breach gives access to the Aadhaar number, name, address, postal code, photo, phone number and email. This is personal information and can be abused in several ways, from financial to criminal.


Whatever the financial cost, howsoever high the regulatory walls, a breach is bad enough.

For instance, if a rogue manages to steal a phone and can map the name of the person with the details above, the entire edifice of the OTP (one time password) as a mechanism of checking and protection of banking transactions becomes meaningless for online transactions. More so, when changing the number entails a long-winded, physical process, ironically for an idea that is entirely digital. If a debit or credit card is stolen, digital transactions can happen with ease. Beyond financial losses, this breach enables criminal offences. Imagine stalkers following a woman through her phone right upto her home.

If these are not bad enough, the reaction of Unique Identification Authority of India (UIDAI), the organisation tasked with housing this data safely, was worse: through the Press Information Bureau (PIB), it simply denied the report and called it a case of misreporting. “There has not been any Aadhaar data breach,” PIB stated on Twitter [ii]. “The Aadhaar data including biometric information is fully safe and secure.” But further down it says that the “reported case appears to be an instance of misuse of the grievance redressal search facility”. Which is right — no breach or instance of misuse?

PIB further states [iii] that “mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for successful authentication fingerprint or iris of individual is also required.” Finally, it says that legal action, including lodging of FIR (first information report), is being done. Is UIDAI accepting a breach of non-biometric information and saying all is well because the fingerprints and iris scans have not and cannot be accessed? If yes, it is out of tune with the 21st century India.

Like several issues earlier, lack of patience will ensure that this breach of information too will blow away and get lost in the sands of political spins — one side alleging serious violations, the other defending with denial. And the truth may not be in the middle. Indeed, it may lie outside Aadhaar.


The truth may not be in the middle. Indeed, it may lie outside Aadhaar.

For an issue that affects almost every aspect of a modern life, from identity and money to investments and DBT (direct benefit transfer) entitlements, we need to prevent petty politics from further contaminating our digital future. We need to take this issue into our hands, engage deeply with it, so that the resultant law protects as much as enables us as a nation. The latest ideas of privacy, data and information protection, and the legal provisions enabling it are situated in two places. First, in a 24 August 2017 order of the Supreme Court [iv]. And second, in a white paper by a committee chaired by Justice B.N. Srikrishna [v]. Both provide the intellectual, legal and moral basis for public discourse, before it is finally enacted by Parliament into law.

“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the nine-judge Constitutional bench of the Supreme Court ruled [vi]. But it did articulate the legitimate concerns of the State on one hand and individual interest in the protection of privacy on the other. “Apart from national security, the state may have justifiable reasons for the collection and storage of data,” it noted [vii]. Benefits to “impoverished and marginalised sections of society,” for instance. Or prevention and investigation of crime, and protection of the revenue.

Justice Srikrishna’s White Paper takes this judgement into account and lists out seven key principles [viii] that must inform a data protection law. One, the law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance. Two, the law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims. Three, as an expression of human autonomy, consent must be informed and meaningful. Four, data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject. Five, the data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing. Six, enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms. And seven, penalties on wrongful processing must be adequate to ensure deterrence.

Coming to Aadhaar, we need to examine the law [ix] closely. While Clause 30 gives the government the power to collect biometric information deemed to be sensitive, it is the protection mechanism under Clause 29 that places restrictions on its sharing, displaying or posting. Finally, Clause 37 nails it down and states that whoever discloses, transmits, copies or disseminates any identity information shall face a fine of upto ₹10,000 for an individual, ₹1 lakh for a company, and imprisonment that may extend upto three years. We can argue that these penalties are inadequate. A company can earn crores of rupees for data breach, a country can inflict untold damage. When seen in context, Aadhaar would be a subset of the larger debate around privacy and information protection. We can look at this law as a necessary but not a sufficient tool to protect data and privacy.


While Clause 30 gives the government the power to collect biometric information deemed to be sensitive, it is the protection mechanism under Clause 29 that places restrictions on its sharing, displaying or posting.

Where, for instance, would we place the do not disturb registry? Although it began ineffectively, and has started functioning only over the past 12 months or so, the stray call does come. Or, how do we deal with universal banks, where details of a salary account in a bank are shared with the insurance company of the same group with impunity, despite Reserve Bank of India explicitly prohibiting it? “Provided that information collected from customers for the purpose of opening of account shall be treated as confidential and details thereof shall not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer,” the clause states [x].

These are only some of the issues citizens and consumers face. In the increasing digitalisation of India, privacy will become a political battle. As a result, a law that gives privacy protections to citizens while allowing flexibility to the State — in the matter of national security (that is and will remain undefined), for instance — is essential. Related laws, like those in finance, healthcare, education or telecommunications, will get suitably amended or repealed and embed themselves into a bigger privacy law. That privacy is a fundamental right has been set in place by the Supreme Court. It is upto the government to initiate and Parliament to enact these provisions into law.

As far as Aadhaar goes, the shrill debates will tighten the law. But finally, provisions of the data and privacy protection law will override it and Aadhaar will need to legally situate itself within this larger framework, as part of these wider rights.
 
China's digital protectionism, US retreat beckons India to unleash Globalisation 4.0

China's National Development and Reform Commission recently announced subsidies to 56 artificial intelligence (AI) and robotics companies. This was in line with its goal to become an ‘innovation nation’ by 2020.

Over the last 30 years, Beijing has aggressively pursued technology-led global dominance. If high-impact Chinese academic publications formed 1% of the top Scopus citations in 1997, today they make 20%.

Once synonymous with knock-off goods, China now inspires Silicon Valley to mimic its on-demand bike rental services. But its digital economy is a testament to well-worn 20th-century statecraft.

Protectionism has meant Chinese payment services like Tenpay and Alipay having over 800 million users and a combined market share of nearly 90%. The microblogging site Sina Weibo has 500 million Chinese users — more than Twitter’s global user base. The story repeats itself in search (Baidu), local e-commerce (Alibaba, JD.com), local commutes (Didi Dache, Kaundi Dache) and travel and accommodation (Ctrip, Tujia).
In 1803, French economist Jean-Baptiste Say stated that supply creates its own demand. Beijing has vindicated his theories. Tapping into its vast internet user base, China created services that cater to its citizens’ needs, concurrently generating massive data to fuel innovation.

To ride the next wave of innovation, India needs its own strategy. Its agenda for 2018 should be to leverage the hundreds of millions it brought online and the 1,500 million GB of monthly data consumption that now powers a digital India.

Data is the new oil. But our aim should be wealth creation beyond mere ancillary benefits, such as affordable connectivity. We must reconsider the ecosystem of data extraction from India, not merely figure out how its benefits can trickle down to citizens.

Digital Digboi

India will enter the $10 trillion club as the first economy to mature during the Fourth Industrial Revolution (4IR). The first three waves — led by Britain, the US and China — featured wealth creation within one’s own geography, aided by global resources and labour. This focus on local prosperity and capacity won’t change.

What will be unique to the Indian story, however, is its regulatory ecosystem around data: the 4IR’s raw material.

Global trading rules, which China stayed away from till the 21st century, require India to be expansive in its digital integration and traditional offline trade. But as the Washington Consensus develops fatigue, India must infuse energy into a new globalisation project. It should offer its own developmental model that addresses key concerns on cross-border data transfer — one promoting the free flow of information globally, while ensuring local value creation from data.

The Aadhaar database can jumpstart a new wave of startups and services that rely on authentication. The challenge will be in launching Indian innovation into the outside world. WhatsApp’s integration with the Unified Payments Interface (UPI) in 2017 suggests that the world is indeed ready to welcome first-rate Indian products.

WhatsApp integration will drive the creation and adoption of UPI-based applications and similar products based around Aadhaar-enabled systems.

Still, the story is only half-complete. UPI may have become the backbone of payments innovation, but real success will come when an Indian platform can emerge on the scale of a WhatsApp or Sina Weibo.

How do we create global Indian technology giants? It isn’t just about access to data, or obsessing over where it’s located. What we need is data refineries, not data wells — an Indian tech ecosystem that doesn’t only create and extract data, but also transforms it into higher-level products with global worth. If we do not do this, others will.

China forced global tech giants to play by their rules or forgo their market. India can’t mimic such heavy-handedness, but must have the same end: that value created by Indians is largely created for Indians and mostly enriches India. China’s provinces took the lead in creating tech giants. Alibaba and the others emerged from provincial capitals like Hangzhou to challenge the world.

India’s, with its heft, needs to think of its 29 states as 29 different ecosystems now bound together by far-reaching reforms like the GST. Each ecosystem must have a unique strategy to incubate world-beating innovation, as well.

A Date With Data
This must form a pivot for both the upcoming budgetary allocations as well as the Data Protection Bill developed. The Bill must not just bolster privacy but also redefine India’s trade posture in a world where data fuels economies. If done right, this can foster local innovation, birthing new transformative vernacular language technologies. If done wrong, it can disincentivise innovation and overseas investments.

China’s digital protectionism, and a US retreat, can be analogous to India’s victory in Globalisation 4.0.
 
FIR against Tribune reporter over Aadhaar data breach story

A deputy director of the Unique Identification Authority of India (UIDAI) has registered an FIR against The Tribune newspaper and its reporter Rachna Khaira following her report on how anonymous sellers over WhatsApp were allegedly providing access to Aadhaar numbers for a fee.

The FIR also names Anil Kumar, Sunil Kumar and Raj, all of whom were mentioned in The Tribune report as people Khaira contacted in the course of her reporting.

Joint Commissioner of Police (Crime Branch) Alok Kumar confirmed that an FIR had been registered and an investigation launched. The FIR has been lodged with the Crime Branch’s cyber cell under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well Section 66 of the IT Act and Section 36/37 of the Aadhaar Act.

When contacted, The Tribune’s editor-in-chief Harish Khare refused to comment on the FIR. In the FIR, the complainant, B M Patnaik, who works with UIDAI’s logistics and grievance redressal department, states: “An input has been received through The Tribune dated January 3, 2018, that the ‘The Tribune purchased’ a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.”

The FIR details how the reporter got in touch with the other persons named in the FIR and goes on to state: “The above-mentioned persons have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy… The act of the aforesaid involved persons is in violation of (the various sections mentioned in the FIR)… Hence, an FIR needs to be filed at the cyber cell for the said violation.”

The UIDAI’s media unit did not respond to calls and texts from The Sunday Express. The UIDAI CEO, when contacted, said he was in a meeting. The Tribune report, dated January 3, had stated: “It took just Rs 500, paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.”

Late on Saturday, UIDAI’s Chandigarh regional office, wrote to The Tribune’s Editor-in-Chief, asking if “was at all possible for your correspondent to view or obtain Fingerprints and Iris scan of any person through the aforesaid access to UIDAI portal” and “how many Aadhaar numbers did the correspondent actually enter through the said login user id and password and whom did those Aadhaar numbers belong to”. The letter asked for these details to be sent by January 8, “failing which it will be presumed that there was no access to any Fingerprints and/or Iris scan”.

After the report appeared, the UIDAI had in a statement said that there “has not been any Aadhaar data breach”.
“The Aadhaar data, including biometric information, is fully safe and secure,” it had said, adding, “There has not been any data breach of the biometric database, which remains fully safe and secure with the highest encryption at UIDAI and a mere display of demographic information cannot be misused without biometrics.”
 
Edward Snowden came out in support of the journalist who reported that she could access personal details of over a billion citizens.
All India | NDTV News Desk | Updated: January 09, 2018 14:05 IST

edward-snowden_650x400_51469164236.jpg

Edward Snowden criticised the government for "policies that destroyed the privacy of a billion Indians".

New Delhi: American whistleblower Edward Snowden has tweeted his sharp disapproval of a police case against journalist who exposed gaps in the security of biometric details of millions of citizens recorded in the Aadhaar database.

In a post on Tuesday, the former US intelligence contractor came out in support of the journalist who reported that she could access personal details of over a billion citizens for just Rs. 500 paid through a digital wallet. Snowden also criticised the government for "policies that destroyed the privacy of a billion Indians".

He tweeted: "The journalists exposing the #Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI."

Snowden has spoken against the Aadhaar earlier too. "It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse," he had tweeted last week.

UIDAI, which oversees the world's largest biometric identity card scheme, had gone to the police against the journalist from the Tribune newspaper and insisted there was no breach in its system.

Outrage over the case against the journalist forced an intervention by I-T minister Ravi Shankar Prasad and pushed the UIDAI to clarify that the case was not against any specific individual.

In a tweet, Mr Prasad asserted that the government supports freedom of press and that the newspaper and its reporter would be asked by the UIDAI to help investigate the alleged data breach.

"Govt. is fully committed to freedom of Press as well as to maintaining security & sanctity of #Aadhaar for India's development. FIR is against unknown. I've suggested @UIDAI to request Tribune & it's journalist to give all assistance to police in investigating real offenders," the minister posted.

In a separate case yesterday, the Supreme Court, which is hearing a petition challenging the validity of Aadhaar, made it clear that politicians should "allow freedom of expression".

Arrest UIDAI, Says Edward Snowden After Aadhaar Case Against Journalist

Journo exposing Aadhaar leak merits award, not probe: Edward Snowden
 
Every aadhar activist missed this :

White Paper on Data Protection framework for India - Public Comments invited
Government of India has constituted a Committee of Experts926.13 KB under the Chairmanship of former Supreme Court Justice Shri B N Srikrishna to study various issues relating to data protection in India and make specific suggestions on principles to be considered for data protection in India and suggest a draft Data Protection Bill. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”
Instrumentally, a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access.
A White Paper has been drafted to solicit public comments on what shape a data protection law must take. The White Paper outlines the issues that a majority of the members of the Committee feel require incorporation in a law, relevant experiences from other countries and concerns regarding their incorporation, certain provisional views based on an evaluation of the issues vis-à-vis the objectives of the exercise, and specific questions for the public. On the basis of the responses received, the Committee will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject.
Download the White Paper1.78 MB
White Paper on Data Protection framework for India - Public Comments invited | Ministry of Electronics and Information Technology, Government of India

Aadhar is here to stay but this under work bill will help ot mitigate its downsides.
 
Payments Council of India says not all payment firms want to store data in India
Even as companies such as Paytm and PhonePe are supporting the RBI's notification asking all payment system operators to ensure that data is stored only within the country, not all payments firms seem to be on the same page. The Payments Council of India (PCI), which has around 100 payments firms as its members, has sought a meeting with the RBI to suggest “alternative solutions which can meet the RBI requirements of unfettered access”. There was no clarity on the names of these firms or the suggestions they want to share.
Moneycontrol has a copy of the letter sent to the RBI.

Last month, RBI released guidelines asking all payment system operators to ensure that data is stored only within the country, and comply with the order by October 15, 2018. In the letter, PCI has stressed that many online payments companies and members are not convinced by this decision. It says that while some of its members are fully in favour of storing data within the country, a bunch of them want some relaxations. There are also members who are completely not in favour of the same.

“Payments Council of India representing various diversified sectors in payments, we have got a divided response on the notification from our members. The responses received from members can be grouped into 3 classes being -- fully in favour, partially in favour with certain relaxations and not in favour. “We would therefore request you to kindly grant us an appointment for a meeting to put across the concerns of the impacted members and suggest some alternative solutions for achieving a common goal of ensuring trust and security for digital payment systems in India," PCI wrote in the letter.

According to PCI, some of the members think that storage of data only in India will not be in the best interest of the payment ecosystem.
“This will give way to a lot of issues as payment systems nowadays are fully connected globally to achieve greater operational efficiency and safeguard transactions against frauds, systemic risks or a single point of failure,” PCI wrote.

“Patterns of fraudulent activity which are collected from all over the world and analysed in a centralised location help to improve fraud-prevention technology through big data analytics, which ultimately benefits Indian citizens,” it added.
Industry leader in the online payments space, Paytm is among those companies who have been very vocal about the importance of storing data within the boundaries of the country.

According to Paytm, India has enough technology and manpower resources to support this migration. It also says that when the data is processed and stored in multiple geographies there’s a lack of clarity as to which country’ data laws will be applicable to it.
Flipkart’s payments firm PhonePe too supports the RBI guidelines. The company believes that processing any data outside the country leaves behind an imprint of the same on the servers through which it is processed and hence defeats the purpose of data localisation.
"There should be no data replication outside the country as the geographical spread of India provides enough room for creating alternate infrastructure and ensure business continuity. Any player therefore interested in contributing towards the long-term growth of payments in India should also be willing to invest in building the infrastructure locally here,” said Hemant Gala, head of payments and banking relations, PhonePe.

"Even from the perspective of fraud and risk management, since all the data is emerging from the country global best practices can all be incorporated in local risk management tools. The amount of data that is generated in India now and in the future would be sufficient for companies to build a strong risk management framework,” he added.
Rishi Gupta, chief executive officer and managing director of Fino Payments Bank, told Moneycontrol that if the data is stored within the boundaries of a country, it becomes much easier to control it. He also added that when all the companies will start doing it, it will only lead to more investments in technology infrastructure.
Payments Council of India says not all payment firms want to store data in India
 
  • Like
Reactions: Ashwin
Yet you are on every social media app. ;)

I'm not into social media, waste of time. But information is easily controlled there, I can easily change my name, DOB, address etc. You don't put your financial info there after all.

But this issue is different since I have credit cards and debit cards saved on stuff like Paytm. I don't want such information stored under the control of a different country.
 
  • Agree
Reactions: Aravind
I'm not into social media, waste of time. But information is easily controlled there, I can easily change my name, DOB, address etc. You don't put your financial info there after all.
Really ? You think changing name will erase the past?
But this issue is different since I have credit cards and debit cards saved on stuff like Paytm. I don't want such information stored under the control of a different country.
And you don't use Visa/MasterCard ?
 
Really ? You think changing name will erase the past?

The information is irrelevant there.

The point I am making is you can fake data on FB, but with a payments bank they ask for Aadhaar, you can't fake that. Let's talk again about this after social media starts asking for govt IDs before setting up accounts.

And you don't use Visa/MasterCard ?

They have a new policy of using OTP instead of the old password. OTP can easily be stolen from a message reader from your phone that can be installed maliciously. So there's no longer any real security.

As for Visa and Mastercard themselves, I trust them since they are all protected by the US govt. If they screw up, they can get bailed out. And they have much more strict procedures. For example, if there's fraudulent transaction, they can easily reverse it with just one phone call, so there's safety there. But the data itself is held by local banks.

Take Paytm for example. What will happen to the information they carry if they become bankrupt? If data is located in a foreign server, they can easily sell it to someone else for profit. Who will stop them? The Indian govt? Nope, they don't have any jurisdiction outside the country.

Do you really want companies like Alibaba and Xiaomi to hold your data in a server in China?

I don't want my Aadhaar data saved in China. Nor do I want other card details there. All they need is a malware on my phone that reads OTP and they can take all my money without my knowledge. What's the guarantee Xiaomi phones in India can't read messages without permission when needed?
 
  • Like
Reactions: Aravind
They have a new policy of using OTP instead of the old password. OTP can easily be stolen from a message reader from your phone that can be installed maliciously. So there's no longer any real security.

As for Visa and Mastercard themselves, I trust them since they are all protected by the US govt. If they screw up, they can get bailed out. And they have much more strict procedures. For example, if there's fraudulent transaction, they can easily reverse it with just one phone call, so there's safety there. But the data itself is held by local banks.
Don't change goal posts. Basically, you are ok with US 'govt' having your payment data which is not in sync with your initial point.

But this issue is different since I have credit cards and debit cards saved on stuff like Paytm. I don't want such information stored under the control of a different country.
 
Don't change goal posts. Basically, you are ok with US 'govt' having your payment data which is not in sync with your initial point.

I already told you, the US doesn't hold data. Visa/Mastercard data is held by local banks in India. The servers are located in India. If you have a Visa card issued by HDFC, then HDFC holds your data. Visa is only a payment gateway.

What I meant is since Visa/Master are protected by American govt, there's no chance they will go bankrupt and then sell data to a foreign company. The same doesn't apply to Paytm. Paytm is like HDFC here.
 
I already told you, the US doesn't hold data. Visa/Mastercard data is held by local banks in India. The servers are located in India. If you have a Visa card issued by HDFC, then HDFC holds your data. Visa is only a payment gateway.

What I meant is since Visa/Master are protected by American govt, there's no chance they will go bankrupt and then sell data to a foreign company. The same doesn't apply to Paytm. Paytm is like HDFC here.
Don't make lame statements for argument sake. Payment gateways have all data. Access to it for CIA is a request away. Comparison in this context is Visa/Mastercard vs Rupay, not HDFC.

Screenshot-2018-5-20 How RuPay is Transforming India.png


Foreign banks and payment gateways are just that, its controlled by them including data. Paytm is an indian company with foreign investors. Do you see the difference? then Why single out indian startups in a biased manner?
 
  • Like
  • Agree
Reactions: Sumanta and Aravind
Don't make lame statements for argument sake. Payment gateways have all data. Access to it for CIA is a request away. Comparison in this context is Visa/Mastercard vs Rupay, not HDFC.

View attachment 2605

Foreign banks and payment gateways are just that, its controlled by them including data. Paytm is an indian company with foreign investors. Do you see the difference? then Why single out indian startups in a biased manner?

Ownership is irrelevant. The servers have to be located in India. The article is also talking about that.

Of course, we need something like Rupay also going mainstream.
 
  • Like
  • Agree
Reactions: Sumanta and Aravind
I already told you, the US doesn't hold data. Visa/Mastercard data is held by local banks in India. The servers are located in India. If you have a Visa card issued by HDFC, then HDFC holds your data. Visa is only a payment gateway.

What I meant is since Visa/Master are protected by American govt, there's no chance they will go bankrupt and then sell data to a foreign company. The same doesn't apply to Paytm. Paytm is like HDFC here.


As a person who actually worked with MNC with payment services . I can tell you every bit of data is stored . Data is digital money for companies . Visa or MasterCard or Chinese union pay they store everything . Infact storing the data for payment services is legally required .
 
As a person who actually worked with MNC with payment services . I can tell you every bit of data is stored . Data is digital money for companies . Visa or MasterCard or Chinese union pay they store everything . Infact storing the data for payment services is legally required .

Yes. Store it in India, subject to Indian laws.

The article isn't talking about data storage, but the location of data storage.
 
  • Like
Reactions: Aravind
I wonder which payment firms want to store my data outside the country, I won't touch those companies with a barge pole.
There are 2 ways customer information is stored outside the geographical boundary.
1st User data on outside servers and 2nd payment transaction data on outside servers. Both card companies as well as UPI based service providers both store data outside but to what extent that can be discussed.
 
  • Like
Reactions: randomradio
I'm not into social media, waste of time. But information is easily controlled there, I can easily change my name, DOB, address etc. You don't put your financial info there after all.

But this issue is different since I have credit cards and debit cards saved on stuff like Paytm. I don't want such information stored under the control of a different country.
You don't have a say in what a company stores outside and what not. It is the regulator which can only intervene and enforces the rules & regulations as it deems fit.
 
  • Agree
Reactions: Sumanta