Mastercard banned from taking on new customers in India after flouting data rules
The country’s reserve bank found that the payment provider did not comply with a data policy established in 2018
In April 2018, the RBI released a Storage of Payment System Data notice which stipulated that payment system providers should store payment data in India to ensure “better monitoring”. This includes the full end-to-end transaction details and information collected or carried as part of the message or payment instruction.
However, for the “foreign leg” of the transaction, the data can also be stored in the foreign country if required.
Payment system providers were given six months to implement this change, which should have been completed by 15 October 2018, and report compliance to the RBI, as well as submitting an audit report to the bank by December. Mastercard is said to be still in breach of these terms, according to the RBI.
“Notwithstanding lapse of considerable time and adequate opportunities being given, [Mastercard] has been found to be non-compliant with the directions on Storage of Payment System Data,” said Yogesh Dayal, chief general manager at the RBI.
Aberdeen Report: How a platform approach to security monitoring initiatives adds value
Integration, orchestration, analytics, automation, and the need for speedFree download
The RBI has now placed a freeze on the onboarding of new Mastercard customers across the country, and Mastercard must advise all card-issuing banks and non-banks to conform to these directions.
A spokesperson from Mastercard said it is "fully committed" to its legal and regulatory obligations in the markets it operates in.
"Since the issuance of the 2018 directive requiring on-soil storage of domestic payment transaction data, we have worked closely with the RBI to ensure that we comply with the requirements," said the spokesperson. "While we are disappointed with the stance taken by the RBI today (July 14), we will continue to work with them and provide any additional details needed to resolve their concerns."
The 2018 policy change emerged following a recognition that the payment ecosystem in India had expanded “considerably” with the emergence of new payment systems, players, and platforms.
“Ensuring the safety and security of payment systems data by adoption of the best global standards and their continuous monitoring and surveillance is essential to reduce the risks from data breaches while maintaining a healthy pace of growth in digital payments,” the bank stated.
In order to have “unfettered access” to all payment data for “supervisory purposes”, the RBI decided that all payment system operators had to ensure that data related to payment systems operated by them should be stored only inside the country.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download