This article was published 3 yearsago

Nearly a year ago, on July 22, 2021, the Reserve Bank of India (RBI) decided to put a halt on the operations of US-based payment gateway Mastercard in India by banning it in the country. At that time, the country’s central bank had said that the New York-headquartered Mastercard had failed to comply with local storage norms and prevented it from onboarding new customers in the country until it complied with them.

The RBI added that Mastercard, despite being given considerable time and adequate opportunities to comply with the regulatory norms, had failed to be non-compliant with them.

11 months down the line, the RBI has found Mastercard to have demonstrated “satisfactory compliance” with the local data storage rules. With this, it is once again permitted to onboard customers in the world’s second-largest internet market onto its card network across debit, prepaid, or credit.

“In view of the satisfactory compliance demonstrated by Mastercard Asia / Pacific Pte. Ltd. with the Reserve Bank of India (RBI) circular dated April 6, 2018 on Storage of Payment System Data, the restrictions imposed, vide order dated July 14, 2021, on on-boarding of new domestic customers have been lifted with immediate effect,” the RBI said in a statement.

MasterCard was one of three entities to be banned by the RBI from onboarding new customers and issuing new debit, credit or prepaid cards to them in recent times. The reason behind this ban was the failure of the entities to comply with local data storage rules.

American Express and Diners Club are still restricted from onboarding new users in the country, although they are allowed to continue to serve their existing customer base.

The rules in question refer to the directions on Storage of Payment System Data, which require payments firms to store all Indian transaction data within servers in the country itself. Four years ago, the RBI observed that not all system providers had complied with the rules and stored payment data in India.

The data in question should include complete end-to-end transaction details and information collected, carried, and processed as part of the message and payment instructions. Additionally, when it comes to the foreign leg of transactions (if any), the data can also be stored in the foreign country if it is required.

The rules added that if foreign payment processors transferred card storage data to servers in other countries for smoothing flow, then they were obligated to delete the data within 24 hours.