The Reserve Bank of India (RBI) has barred Mastercard from issuing new credIn a major supervisory action, the Reserve Bank on Wednesday indefinitely barred the US-based Mastercard from issuing new credit, debit and prepaid cards with effect from July 22 for its failure to comply with data storage norms.

Mastercard

It was the major supervisory action of  the Reserve Bank on Wednesday indefinitely barred the US-based Mastercard from issuing new credit, debit and prepaid cards with effect from July 22 for its failure to comply with data storage norms.

Mastercard, a major card issuing entity in the country, is the third company to have been barred by RBI from acquiring new customers after American Express Banking Corp and Diners Club International over data storage issue.

While it is banks and finance companies that issue cards, they partner either Mastercard, Visa or RuPay for network usage. Whenever a card is swiped, the processing takes place on the payment network cloud. Mastercard has been directed to advise all card-issuing banks and non-banks to conform to these directions.

“Mastercard is fully committed to our legal and regulatory obligations in the markets we operate in. Since the issuance of the RBI directive requiring on-soil storage of domestic payment transaction data in 2018, we have provided consistent updates and reports regarding our activities and compliance with the required stipulations. While we are disappointed with the stance taken by the RBI in their communication dated July 14, we will continue to work with them to provide any additional details required to resolve their concerns,” the company said.
In terms of the number of employees, India ranks second among all markets for Mastercard. The company has invested $1bn in India and has announced plans to invest $1bn more.

n April 2018, RBI set a six-month deadline for all system providers to store all their payments data solely in India. They were also required to report compliance to RBI and submit a board-approved system audit report conducted by a CERT-In (Indian Computer Emergency Response Team)-empanelled auditor within specified timelines. The regulator had said this was to ensure improved oversight over licensed entities in case of fraud or money laundering.

Several entities had resisted this rule on the grounds that much of their processing was centralized and it was not feasible to restructure global operations.

RBI later clarified that while data can be stored only locally, it can be sent overseas during the day for processing but should be deleted from offshore servers in 24 hours.

“This 2018 regulation came about after law enforcement and regulatory agencies faced difficulties in getting data from such entities for investigative purposes. RBI gave enough time and opportunity to the entities for complying with the new regulations. Despite this, if these companies have not been able to achieve the requirement, the regulator found such punitive actions necessary,” an official aware of the matter said on condition of anonymity.