Since the UIDAI came up with a circular in late July this year making it mandatory for all AUA, KUA and Sub-AUAs to implement Aadhaar Data Vault, many questions (and myths) around the concept of Aadhaar Data Vault have surfaced.
As India’s leading e-KYC Solutions Company, we meet 100s of organizations every month for addressing their e-KYC requirements and during our interactions, we have witnessed a tremendous amount of ambiguity around the Aadhaar Data Vault ecosystem.
As domain experts in this industry, we feel that it is our responsibility to address these uncertainties for the benefit of our fellow industry peers as well as our customers.
Before we attempt to bust the myths around the Top 14 most Frequently Asked Questions (FAQs) on the Aadhar Data Vault, let’s first get the basics of the Aadhaar Data Vault right. So, here we go:
Aadhaar Data Vault: What It Is, And What It is Not!
Aadhaar Data Vault is a highly secured repository of the Aadhaar numbers or any data file containing the Aadhaar numbers.
It should not be treated as a repository of your customers’ e-KYC details like demographic data, photograph, etc. These details can, and should be, stored separately in the database of your business applications / ERP systems.
Top 14 FAQs:
1. Which types of entities are required to implement Aadhaar Data Vault?
A: As per UIDAI’s directive, all AUA, KUA and Sub-AUA entities are required to implement the Aadhaar Data Vault.
2. My organisation does not perform any e-KYC transactions. We only do Demographic Authentication transactions. Are we still required to implement the Aadhaar Data Vault?
A: YES. Even if your organisation is accessing the Aadhaar ecosystem only for Demographic Authentication transactions, you need to implement the Aadhaar Data Vault.
3. We do not need to store the Aadhaar number(s) at our end after performing the Demographic Authentication / e-KYC transactions. Are we still required to implement the Aadhaar Data Vault?
A: NO. If you do not intend to store the Aadhaar number(s), Aadhaar XML or PDF Response Document received from UIDAI, you are not required to implement the Aadhaar Data Vault.
4. What exactly should be stored inside the Aadhaar Data Vault?
A: Only the Aadhaar number(s) and any data file containing the Aadhaar numbers (e.g. UIDAI Response XML, Signed PDF, etc.) received from UIDAI as a response to your e-KYC has to be stored inside the Aadhaar Data Vault.
5. Does this mean that we can store details like the Aadhaar user’s Photograph and Demographic Data in our business database that is outside the Aadhaar Data Vault?
A: YES.
6. Is there any deadline for implementing the Aadhaar Data Vault?
A: While the UIDIAI has not issued any official notification for the last date of implementing the Aadhaar Data Vault, we have learnt from several reliable sources that the most likely deadline for implementing the Aadhaar Data Vault is 31st March 2018.
7. What is the prescribed Server configuration for hosting the Aadhaar Data Vault?
A: There is no prescribed Server configuration as such. It purely depends on the volume of your Aadhaar transactions.
8. Where should we host our Aadhaar Data Vault? On a Cloud Server or our local Physical Servers?
A: You can host your Aadhaar Data Vault on a Cloud Server as well as on your local Physical Servers in your data center. However, if you host your Aadhaar Data Vault on Cloud Server, you need to ensure that the Physical Servers of your Cloud Service Provider are hosted within India.
9. Are any certifications mandatory for implementing the Aadhaar Data Vault?
A: NO. While the UIDAI has not issued any notification on the certifications for implementing the Aadhaar Data Vault, we strongly recommend that you obtain a separate Compliance Certificate from your UIDAI-certified CERTIN Auditor who audits your AUA / KUA platform annually.
10. Is it mandatory to implement and integrate the Hardware Security Module (HSM) with the Aadhaar Data Vault?
A: Yes. As per the UIDAI circular, an HSM has to be mandatorily integrated with the Aadhaar Data Vault.
11. Can we use a Software HSM instead of a Hardware HSM for the Aadhaar Data Vault?
A: No. You cannot use a Software HSM for encrypting the data to be stored in the Aadhaar Data Vault.
12. Can we use an USB / Smart Card HSM for the Aadhaar Data Vault?
A: Yes. But we do not recommend them since HSM devices with a small form factor like an USB or Smart Card do not support high transaction volumes.
13. Is the Aadhaar Data Vault solution required to be capable of handling the HSM key rotation transactions?
A: YES. The Aadhaar Data Vault solution is required to possess the key rotation and data updation capabilities. Enterprises follow the practice of rotating the HSM keys periodically at pre-defined intervals to optimize the platform security. Ideally, the HSM keys should be rotated at least twice in a year.
14. Can I sign up with different vendors for Aadhaar e-KYC platform and Aadhaar Data Vault solution?
A: YES. The Aadhaar Data Vault solution is a stand-alone solution and the vendors providing it can be different from your e-KYC software vendors. These two solutions can be seamlessly integrated with each other.
We hope we have managed to answer most of the questions you had about the Aadhaar Data Vault ecosystem. In case you have any more queries, please feel free to write to us at amit@eastcs.com or call us on 09820875525 / 07208155528.
–
Regards
Team ECS.