Last week, the UIDAI published a comprehensive list of 31 FAQs on the Aadhaar Data Vault and we are happy that we had already covered many of these in our previous blog post 🙂
This week, we will be covering some basic Do’s and Don’ts for using the Aadhaar Data Vault at your organisation.
Ready? Here you go:
Do’s:
1. Make sure that the same unique Reference Key is mapped against the corresponding Aadhaar numbers and you are not generating multiple Reference Keys for the same Aadhaar number for multiple transactions. The identification of the transaction for which the Aadhaar Data Vault’s APIs were invoked can be done by storing the required details in the transaction logs.
2. Rotate / change your HSM keys regularly to minimise the possibility of any illegitimate data pilferage.
3. If your organisation is an AUA, make sure that all your existing, or newly appointed, Sub-AUAs store the Aadhaar numbers only inside the Aadhaar Data Vault.
4. Ensure that your CERTIN certified and UIDAI empaneled Auditor issues your organisation a separate (and distinctive) Compliance Certificate for your Aadhaar Data Vault implementation.
Don’ts:
1. Do not bypass the regulation by following the practice of storing the Aadhaar numbers and XML response data in an encrypted form in your business database thinking that it will suffice the purpose. Aadhaar numbers and the XML data have to be mandatorily stored in the Aadhaar Data Vault only. In no situation can the Aadhaar numbers (except the last 4 digits) be stored outside the Aadhaar Data Vault.
2. Do not implement any reference key generation process which utilizes the original Aadhaar number and the key generation logic to generate the reference key. Please remember that it should not be possible to reverse engineer the reference key to decipher the original Aadhaar number.
3. Although the UIDAI permits storage of Aadhaar numbers captured from older transactions in encrypted backup files, we strongly recommend that you incorporate the required changes in your existing databases or backup files so that the same are not kept outside the ambit of the Aadhaar Data Vault. All the Aadhaar numbers captured from the transactions which were processed prior to the implementation of the Aadhaar Data Vault have to be stored only within the Vault to avoid any policy conflicts at a later date.
4. Do not subscribe to any implementation model in which multiple entities / organisations share the HSM infrastructure (to save cost) for encrypting the Aadhaar details. In no circumstance should the HSM be shared with other agencies / organizations as it implies sharing of Aadhaar numbers and other related data with that organisation.
5. Do not use the same VM for your business applications and the Aadhaar Data Vault application as the Aadhaar Data Vault containing Aadhaar number, data and the referencing system must be kept in a highly restricted network zone that is isolated from any untrusted zone and other internal network zones.
We hope the above helps you in your Aadhaar Data Vault implementation. In case you have any queries, feel free to email us on amit@eastcs.com or call on 09820875525 / 07208155528.
–
Regards
Team ECS.