wordpress blog stats
Connect with us

Hi, what are you looking for?

RBI bars Mastercard from adding new customers in India; flags non-compliance with data localisation guidelines

credit card, mastercard

The latest move is a part of RBI’s localisation mandate for payments data that came into effect in 2018 and requires that such data be mandatorily stored in India. 

The Reserve Bank of India in a statement today said that it has barred Mastercard from onboarding new domestic customers in India onto its card network – debit, credit, or prepaid cards – with effect from July 22. The statement, however, notes that existing Mastercard users will not be impacted by the restrictions.

Earlier this year, the RBI had barred American Express and Diners Club from onboarding new customers due to non-compliance with its data localisation guidelines. In December 2019, the RBI imposed sanctions on HDFC Bank and barred the bank from onboarding any new credit card customers. Mastercard along with payments network Visa dominate global cards payment and, in India, the credit cards market.

In April 2018, a circular was issued by the RBI to payments systems and scheduled commercial banks directing them to

  • Store their entire data relating to payment systems operated by them in a system only in India.
  • Report compliance of the same to the RBI in six months
  • Submit a System Audit Report (SAR) done by a CERT-in empanelled auditor to the RBI by December 2018.

    “This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required,” said the circular.

The RBI said that Mastercard had failed to be in compliance with the directions on Storage of Payment System Data, “notwithstanding the lapse of considerable time and adequate opportunities being given.”

Advertisement. Scroll to continue reading.

In June 2019, the RBI had issued further clarifications on the guidelines.

  • Data processed outside: The RBI also clarified that while there is no bar on overseas processing of strictly domestic transactions, the data should be brought back to India within one business day or 24 hours of payment processing and be stored locally here. The regulator also said that should companies need access to data for payment processing activities, they can access it, at any time.
  • Data to be mandatorily stored in India: This data includes i) customer data such as name, mobile number, email, Aadhaar number, PAN number, etc. as applicable; ii) payment sensitive data – customer and beneficiary account details; iii) payment credentials – OTP, PIN, passwords, etc. and iv) transaction data – originating & destination system information, transaction reference, timestamp, amount, etc. The RBI said that data stored in India should include end-to-end transaction details and information pertaining to payment or settlement transactions.
  • These norms are applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors, and other entities in the payments ecosystem apart from all the payment system providers authorised by the RBI.

Subsequently, the RBI issued relaxations on the guidelines for large foreign firms to comply with the data localisation rules. During the implementation of the guidelines, several banks had expressed concerns about the RBI’s data storage requirements and processing-related guidelines.

Also Read:

Written By

I cover health and education technology for MediaNama. Reach me at anushka@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...


By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...

You May Also Like


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ