The Reserve Bank of India announced on Wednesday, July 14, that it has imposed restrictions on Mastercard from on-boarding new domestic customers (debit, credit or prepaid) onto its network from July 22. The reason for this was that Mastercard had not complied with the directions for the storage of Payment System Data in the country. This order does not impact existing customers.
“Mastercard shall advise all card issuing banks and non-banks to conform to these directions. The supervisory action has been taken in exercise of powers vested in RBI under Section 17 of the Payment and Settlement Systems Act, 2007 (PSS Act),” RBI said in a release.
Similarly, in April, the RBI had imposed restrictions on American Express and Diners Club International from on-boarding new domestic customers onto their card networks from May 1 for the same reason.
In a circular in 2018, RBI had said that all payment systems data in the country, including full end-to-end transaction details, and information collected, carried or processed as part of the message or payment instruction in the country was to be stored in a system only in the country. "This may, interalia, include - Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable); Payment sensitive data (customer and beneficiary account details); Payment Credentials (OTP, PIN, Passwords, etc.); and, Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.)," RBI had said at the time answering FAQs.
RBI said they were also required to report compliance to RBI and submit a Board-approved System Audit Report conducted by a CERT-In empanelled auditor.
RBI had said there was no bar in payments being processed abroad but in that case, data should be deleted from the systems there and brought back to India within 24 hours. Any subsequent activity such as settlement processing after payment processing, if done outside India, should also be undertaken / performed on a near real time basis, it had said.
"In case of any other related processing activity, such as chargeback, etc., the data can be accessed, at any time, from India where it is stored," RBI had then added.
Many companies have raised concerns about data localisation leading to increased costs.