on Wednesday has barred US-based card network Mastercard from onboarding new domestic debit, credit or prepaid customers on its card network in India from 22 July onwards.
The central bank’s supervisory action on Mastercard is citing its non-compliance with data localisation mandate wherein all foreign payment operators storing card and customer related data must do so in servers physically present in India.
“Notwithstanding lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on Storage of Payment System Data,” the central bank said in a circular.
Mastercard didn’t immediately comment.
RBI had issued its data storage circular in April of 2018 and given all system providers a time frame of six months to enforce these norms. The central bank said that Mastercard’s existing customers won’t be impacted because of these restrictions.
“This order will not impact existing customers of Mastercard. Mastercard shall advise all card issuing banks and non-banks to conform to these directions. The supervisory action has been taken in exercise of powers vested in RBI under Section 17 of the Payment and Settlement Systems Act, 2007 (PSS Act),” RBI said.
Mastercard is registered as a Payment System Operator authorised to operate a card network in the country under the PSS Act. Other leading card networks in India include US-based Visa and National Payments Corp of India’s RuPay.
ET had reported in March that the central bank had tightened its supervisory norms for payment companies storing customer data in India amid a slew of cyber-security breaches at tech start-ups.
All payment system operators from FY22 were mandated to submit detailed “compliance certificates” to the central bank twice a year, confirming adherence to all RBI regulations around security and storage of payment data. RBI had asked these certificates to be submitted on April 30 and October 31 every year.
These requirements are over and above those mandated by the central bank in April of 2018, when it asked all payment companies to submit board-approved annual System Audit Reports (SAR) by CERT-empanelled auditors.
These companies were also asked to submit a one-time compliance report with data localisation norms mandating that data relating to payments in India will be stored in a server physically present in the country by December of 2018.Internet Explorer Channel Network