The latest step is part of the RBI’s localization mandate for payment data, which came into force in 2018, and requires this data to be stored in India.
The Reserve Bank of India in a statement said today that it banned Mastercard from adding new domestic customers in India to its card network – debit, credit or prepaid cards – effective July 22nd. However, the statement states that existing Mastercard users are not affected by the restrictions.
At the beginning of the year, RBI prevented American Express and Diners Club from accepting new customers due to non-compliance with their data localization guidelines. In December 2019, RBI imposed sanctions on HDFC Bank and prohibited the bank from accepting new credit card customers. Mastercard, together with the Visa payment network, dominates global cards payment and in India the credit cards market.
In April 2018, a circular was issued by the RBI to payment systems and planned commercial banks that it to
- Save all of your data on the payment systems you operate in one system only in India.
- Report compliance with the same to the RBI within six months
- Submit a System Audit Report (SAR) by December 2018, which was created by a CERT-in-empaneled auditor to RBI.
“This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment order. For the international part of the transaction, the data can also be saved abroad if necessary, ”the circular said.
The RBI said that Mastercard had not followed the instructions for storing payment system data, “despite considerable time and reasonable possibilities”.
In June 2019, the RBI provided further clarifications on the guidelines.
- Data processed outside: The RBI also made it clear that the processing of purely domestic transactions abroad is not excluded, but the data should be returned to India within one working day or 24 hours after the payment has been processed and stored locally here. The regulator also said companies that need access to data for payment processing activities can access it at any time.
- Mandatory data to be stored in India: This data includes i) customer data such as name, mobile phone number, e-mail, Aadhaar number, PAN number, etc., if applicable; ii) payment sensitive information – customer and beneficiary account information; iii) Payment information – OTP, PIN, passwords etc and iv) Transaction details – source and destination system information, transaction reference, timestamp, amount etc. The RBI said data stored in India should include end-to-end transaction details and information Payment or settlement processes.
- These standards apply to Transactions that are made via system participants, service providers, intermediaries, payment gateways, third-party providers and other units of the payment ecosystem in addition to all payment system providers authorized by RBI.
Subsequently, the RBI eased the guidelines for large foreign companies in order to comply with the data localization rules. In the course of the implementation of the guidelines, several banks had expressed concerns about the requirements for data storage and the processing-related guidelines of the RBI.