The Reserve Bank of India (RBI) has banned Mastercard from taking on new customers from 22 July following a dispute over the company's failure to abide by data storage policies.
In April 2018, the RBI released a Storage of Payment System Data notice which stipulated that payment system providers should store payment data in India to ensure “better monitoring”. This includes the full end-to-end transaction details and information collected or carried as part of the message or payment instruction.
However, for the “foreign leg” of the transaction, the data can also be stored in the foreign country if required.
Payment system providers were given six months to implement this change, which should have been completed by 15 October 2018, and report compliance to the RBI, as well as submitting an audit report to the bank by December. Mastercard is said to be still in breach of these terms, according to the RBI.
“Notwithstanding lapse of considerable time and adequate opportunities being given, [Mastercard] has been found to be non-compliant with the directions on Storage of Payment System Data,” said Yogesh Dayal, chief general manager at the RBI.
Aberdeen Report: How a platform approach to security monitoring initiatives adds value
Integration, orchestration, analytics, automation, and the need for speed
The RBI has now placed a freeze on the onboarding of new Mastercard customers across the country, and Mastercard must advise all card-issuing banks and non-banks to conform to these directions.
A spokesperson from Mastercard said it is "fully committed" to its legal and regulatory obligations in the markets it operates in.
"Since the issuance of the 2018 directive requiring on-soil storage of domestic payment transaction data, we have worked closely with the RBI to ensure that we comply with the requirements," said the spokesperson. "While we are disappointed with the stance taken by the RBI today (July 14), we will continue to work with them and provide any additional details needed to resolve their concerns."
The 2018 policy change emerged following a recognition that the payment ecosystem in India had expanded “considerably” with the emergence of new payment systems, players, and platforms.
“Ensuring the safety and security of payment systems data by adoption of the best global standards and their continuous monitoring and surveillance is essential to reduce the risks from data breaches while maintaining a healthy pace of growth in digital payments,” the bank stated.
In order to have “unfettered access” to all payment data for “supervisory purposes”, the RBI decided that all payment system operators had to ensure that data related to payment systems operated by them should be stored only inside the country.
