barred Mastercard Inc. from issuing new cards in India after it found the US-based payments major was storing customers’ data on servers located outside the country and also failing to erase from overseas servers the Indian leg of the transactions data within 24 hours as mandated, three sources aware of the matter told ET.
The card network may also have been non-compliant with Indian central bank’s requirement to appoint a domestic auditor certified by the country’s nodal cybersecurity agency—Indian Computer Emergency Response Team (CERT-in)—to conduct its external compliance audit, the sources added.
“Some part of the transaction data is being kept in India, but a significant part of information related to transaction processing and fraud checks is going out of the geography. Effectively, it is a dual record maintenance and that is what the regulator is not okay with,” a senior bank official aware of the matter told ET.
In response to an ET query, Mastercard said it is continuously engaging with the regulator including submitting system audit reports on a regular basis and hopes for an early resolution on the matter.
“When RBI required us to provide additional clarifications about our data localisation framework in April 2021, we engaged our government-empanelled audit firm to address those points,” Mastercard said. “That report was slightly delayed and submitted to the RBI on July 20, 2021. We are hopeful that this latest filing provides the assurances and insights required to address their concerns and move toward a resolution on the matter.”
RBI did not respond. In a media statement last week, Mastercard had said it was “disappointed” with RBI’s stance and was “fully committed to legal and regulatory obligations” in India.
The central bank last week
imposed regulatory restrictions on Mastercard from onboarding new domestic debit, credit, or prepaid customers on its card network in India from July 22. The regulator’s supervisory action was citing “non-compliance with directions on Payment System Data”. To be sure, these restrictions are only on Mastercard’s new cards and not the existing ones held by customers.
As per this rule, all foreign payment operators storing card and customer related data must do so in servers physically present in India. RBI introduced the rule through a circular issued in April 2018. As per RBI’s rules, foreign payment processors can transfer card storage data abroad for smoothing flow provided this data is deleted within 24 hours.
“Inability of Mastercard to store payments data in India is what was flagged by RBI,” a person aware of the matter said. “Typically, for companies like Mastercard, there are robust fraud risk engines which collate data from various switches across the world to prevent cross jurisdiction cloning or phishing attacks,” the person said, adding that Mastercard’s insistence on storing this data abroad is what got it on the wrong side of the Indian regulations.
According to the person, Mastercard wanted the external audit to be performed by its overseas auditor appointed by the global unit. These terms were not agreed by the RBI, which invited the curbs, the person added.
“A certain part of the data on transactions processed has been moved to India and Mastercard is using that as a defence, but the RBI wants end-to-end stored locally in the country,” a third source, who is a payments industry executive, said.
“For their own internal fraud checks Mastercard is sending a copy to their international servers to weed out malicious transactions,” the person added.
Mastercard is registered as a Payment System Operator (PSO) authorised to operate a card network in the country under the PSS Act. Other leading card networks in India include US-based Visa and National Payments Corp of India’s RuPay. India has a total of 62.3 million credit cards and 902.3 million debit cards in circulation.
The Indian central bank had tightened data storage norms for PSOs in India through a notice issued to chief executives of all such licensed companies in India. ET has a copy of the notice.
As per the rules introduced in March, all PSOs from FY22 were mandated to submit detailed “compliance certificates” to the central bank twice a year, signed by the respective chief executives or managing director, confirming adherence to all RBI regulations around security and storage of payment data.
These requirements are over and above the ones mandated by the central bank in April of 2018 where it asked all PSOs to submit board-approved annual System Audit Report (SAR) by CERT-empanelled auditors.
These companies were also asked to submit a one-time compliance report with data localisation norms which mandate the data relating to payments in India will be stored in a server physically present in the country by December of 2018.
RBI’s Mastercard ban likely to create monopoly in credit card market in India
RBI had asked these certificates to be submitted on April 30 and October 31 of every year. The central bank’s decision to tighten data storage norms, earlier this year, also attracted curbs on US-based American Express and Diners Club for non-compliance with the same rule.
Decoded: How RBI’s latest ban on Mastercard affects you
As per industry sources, Visa and Mastercard together process a significant chunk—over 70%—of India’s credit cards. For debit card issuances, NPCI’s RuPay is said to be the largest card issuer. RBI does not disclose the breakup.