Ban On Mastercard Removed: Mastercard Allowed To On-Board New Customers As Data Will Be Saved In India Now
RBI has lifted restrictions it imposed on Mastercard Asia/Pacific which prevented it from onboarding new domestic customers on its network.
This takes place “with immediate effect”.
The company is India’s second largest credit card issuer.
It stated that it received “satisfactory compliance” and hence has lifted restrictions it imposed on July 14, 2021 from onboarding new domestic customers (debit, credit or prepaid) onto its card network from July 22, 2021.
It had punished Mastercard due to non-compliance with local data storage guidelines despite being given considerable time and adequate opportunities.
Sources say that Mastercard was already in the process of localising data storage.
However it was too slow in its pace for which it was punished by the RBI.
As per the ‘Storage of Payment System Data’ norms all “system providers must ensure that all data relating to payment systems operated by them are stored in a system only in India”.
All foreign payment operators storing card and customer related data must do so in servers physically present in India.
Disagreement with RBI
Mastercard is a Payment System Operator or PSO authorised to operate a card network in the country under the Payment and Settlement Systems Act, 2007 (PSS Act).
This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction.
Mastercard wanted RBI to relax the storage norms and wanted an exemption which would accept ‘storage in India’ rather than ‘storage only in India’.
The central bank allowed foreign payment processors to transfer card storage data abroad for smoothing flow.
However, the RBI was firm in that if customer data was sent overseas for processing, it had to be deleted by the end of the day or within 24 hours.
Other compliance requirements
They also had to report compliance to RBI and submit a board-approved System Audit Report conducted by a CERT-In empanelled auditor within the specified timelines.
PSOs had to submit detailed “compliance certificates” to the central bank twice a year signed by the respective chief executives or managing director.
This would confirm adherence to all RBI regulations around security and storage of payment data.
For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
Third foreign entity to be punished
Mastercard was found to be non-compliant with the directions on storage of payment system data to be specific, notwithstanding the lapse of considerable time and adequate opportunities given.
The move made Mastercard the third entity to be barred on these grounds after the RBI had similarly restricted American Express and Diners Club International.
Existing customers of Mastercard in the country were not impacted by the restrictions.
As a result of this reversal, some banks which had credit card issuance arrangements with Mastercard will likely resume their original agreement after switching to Visa.
For instance, RBL Bank which had issued 30 lakh cards in partnership with Bajaj Finserv.
Yes Bank too had an exclusive arrangement with Mastercard.