System Audit ReportData Localization (SAR)
The System Audit Report for Data Localization (SAR) & Storage of Payment System Data is a compliance mandate driven by RBI to ensure appropriate security measures and data localization controls for storage of payment related data.

Key Criteria for System Audit Report for Data Localization (SAR)
Based on the RBI & NPCI Guidelines, the following key criteria need to be covered as part of this audit.
- Payment Data Elements
- Transaction / Data Flow
- Application Architecture
- Network Diagram / Architecture
- Data Storage
- Transaction Processing
- Activities subsequent to Payment Processing
- Cross Border Transactions
- Database Storage and Maintenance
- Data Backup & Restoration
- Data Security
- Access Management

SANS25 Secure Coding Guidelines
A well-known compilation of the most frequent security vulnerabilities found in all types of systems, with the goal of installing security into every developer’s head.
- Out-of- Bounds read and Write
- Improper Authentication
- Unrestricted Upload of File with Dangerous Type
- Null Pointer Dereference
- Improper Control of Generation of Code
- Improper Certificate Validation
Approach for System Audit Report for Data Localization (SAR)
Based on our extensive experience with delivering SAR for Data Localization & Storage of Payment System Data, we have developed the following approach:
Phase 1 – Information Gathering & Documentation Review
A detailed questionnaire is shared with your teams and various documentation and evidences are collected on the architecture, implementation and controls in place. These documents are thoroughly reviewed by our experts to understand the implementation and flag any concerns. This questionnaire is designed keeping in mind the RBI FAQs.
Phase 2 –Assessment, Validation & In-Depth Control Review
As part of this phase, an in-depth analysis of is carried out to validate all the documentation and cross-examine artefacts provided. Along with this the technical controls are assessed in-line with best-practices and data flow is analysed to identify potential risks or gaps.
Phase 3–Remediation & Re-Validation
A comprehensive report is provided with any areas of concern, risks or violations. Appropriate recommendations are provided along with detailed proof of concept details to help your teams understand the concerns raised. Our team works with you to carry out re-validation to ensure that you are able to close all the gaps and achieve succesful compliance.
Phase 4–CERT-In Empanelled Certification
As a CERT-In Empanelled Auditor, we document the entire activity along with relevant documentation, artefacts, findings, recommendations etc. A CERT-In Certification is issued for the System Audit Report (SAR) for Data Localization & Storage of Payment System Data.

System Audit Report for Data Localization (SAR)
As a CERT-In Empanelled Auditor, we document the entire activity along with relevant documentation, artefacts, findings, recommendations etc. A CERT-In Certification is issued for the System Audit Report (SAR) for Data Localization & Storage of Payment System Data.
Leave us massage