The Reserve Bank of India (RBI) has barred Mastercard Asia/Pacific Pte. Ltd from onboarding new domestic customers (debit, credit or prepaid) onto its card network from July 22, 2021. The move is being made in response to the company's non-compliance with local data storage regulations.
“Notwithstanding lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on Storage of Payment System Data,” the central bank said in a statement.
“This order will not impact existing customers of Mastercard. Mastercard shall advise all card-issuing banks and non-banks to conform to these directions. The supervisory action has been taken in the exercise of powers vested in RBI under Section 17 of the Payment and Settlement Systems Act, 2007 (PSS Act),” RBI said.
Mastercard is a Payment System Operator authorised by the PSS Act to operate a Card Network in the country.
Previously, the central bank barred American Express and Diners Club International from onboarding new domestic customers beginning May 1 after these companies were found to be in violation of the central bank's instructions regarding the storage of payment system data in India.
Also, RBI rejected requests from prominent merchants such as Amazon, Microsoft, Netflix, Flipkart, and Zomato to store customer credit card data in accordance with the new payment aggregators and payment gateways (PA/PG) standards.
The central bank is making these efforts to bolster data security for Indian consumers. In April 2018, the central bank had issued a circular on Storage of Payment System Data asking all System Providers to ensure that within a period of six months the entire data (full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction) relating to payment systems operated by them is stored in a system only in India.
Companies were also required to report compliance to RBI and submit a Board-approved System Audit Report conducted by a CERT-In empanelled auditor within the timelines specified therein.