Almost a year ago, on July 22, 2021, the Reserve Bank of India (RBI) decided to halt the operations of US payment gateway Mastercard in India by banning it from the country. At that time, the country’s central bank said the New York-based Mastercard failed to meet local storage standards and prevented it from onboarding new customers in the country until she complies.
The RBI added that Mastercard, despite having been given considerable time and adequate opportunities to comply with regulatory standards, had failed to fail to comply.
11 months later, the RBI found that Mastercard had demonstrated “satisfactory compliance” with local data storage rules. With this, it is once again allowed to onboard customers from the world’s second largest Internet market on its network of debit, prepaid or credit cards.
“In view of the satisfactory compliance demonstrated by Mastercard Asia / Pacific Pte. Ltd. with the Reserve Bank of India (RBI) circular dated 6 April 2018 on the storage of payment system data, the restrictions imposed, see the order dated July 14, 2021, to the onboarding of new domestic customers have been lifted with immediate effect,” the RBI said in a statement.
MasterCard was one of three entities banned by the RBI from onboarding new customers and issuing new debit, credit or prepaid cards to them in recent times. The reason for this ban was the entities’ failure to comply with local data storage rules.
American Express and Diners Club are still not allowed to onboard new users in the country, although they are allowed to continue serving their existing customer base.
The rules in question refer to the Payments System Data Storage Instructions, which require payment companies to store all Indian transaction data on servers in the country itself. Four years ago, the RBI observed that not all system providers had complied with the rules and stored payment data in India.
The data in question must include full end-to-end transaction details and information collected, transported and processed as part of the message and payment instructions. Additionally, with respect to the foreign leg of transactions (if applicable), data may also be stored in the foreign country if necessary.
The rules added that if foreign payment processors transferred card storage data to servers in other countries to smooth the flow, then they were obligated to delete the data within 24 hours.