wordpress blog stats
Connect with us

Hi, what are you looking for?

Mastercard looks to reverse RBI ban on issuing new cards in India with its latest audit report

The RBI guidelines that Mastercard failed to comply with, state that customer data, payment sensitive data, and transaction data have to be stored in India.   

We missed this earlier: Mastercard has complied with the local data storage norms laid down by the Reserve Bank of India (RBI) in 2018, the company informed MediaNama. The payments company added that it filed a new audit report on July 20 to notify the central bank of its compliance.

“When RBI required us to provide additional clarifications about our data localization framework in April, 2021, we retained government-empaneled Deloitte to perform a supplemental audit to help demonstrate our compliance. We have been in a continued dialogue with the RBI from April through the report’s submission on July 20, 2021,” Mastercard’s statement read. 

According to a Reuters report, the audit report was submitted after the RBI barred Mastercard from adding new domestic customers in India onto its card network on July 14. The report, citing sources, also said that the RBI was reviewing the new audit report. 

Why it matters? India has registered a sizeable growth in its payments ecosystem over the past few years. Despite this, major players like Visa and Mastercard had not made arrangements for the storage of payments information in India. According to the RBI, it is “important to have unfettered supervisory access to (payments) data to ensure better monitoring on a continuous basis.” A report in the Times of India explains that the central bank wants to insure itself against the possibility of losing access to data if payments services host it in another country.

Details of the RBI order mandating data localisation

In 2018, the RBI had issued the following directions after it observed that not all payments companies were storing data in India: 

Advertisement. Scroll to continue reading.
  • Entire data relating to payment systems must be stored in a system only in India 
  • Ensure compliance within a period of six months and report it to the RBI by October 15, 2018
  • Furnish the System Audit Report (SAR) by CERT-IN empaneled auditors by December 31, 2018

However, in June 2019 following concerns raised by the industry, RBI went on to clarify the guidelines:

  • The central bank elaborated on data that had to be stored in India mandatorily:
    • Customer data: Name, mobile number, email, Aadhaar number, PAN number, etc.
    • Payment sensitive data: Customer and beneficiary account details
    • Payment credentials: OTP, PIN, passwords, etc.
    • Transaction data: Origin and destination system information, transaction reference, timestamp, amount, etc.
  • The norms were applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors, and other entities in the payments ecosystem apart from all the payment system providers authorised by the RBI.
  • The central bank clarified that there is no ban on overseas processing of strictly domestic transactions but the data should be brought back to India within one business day or 24 hours of payment processing and be stored locally here.

What led to the RBI ban on Mastercard? 

A brief timeline precipitating the ban, according to a Reuters report:

  • April 2018: RBI conveys to all payments system operators in India to ensure payments-related data is stored within the country and gave the companies six months to comply.
  • October 2018: Mastercard starts storing data at a facility in Pune to comply with the guidelines but it still processes a part of each Indian transaction through data centres abroad, and later, transfers and stores that data in Pune.
  • April 2021: Sources informed Reuters that RBI was unsatisfied with a “system audit report” submitted by Mastercard’s auditor Deloitte. The audit was vague about the time Mastercard took to purge Indians’ card data that is processed abroad before being stored locally.
  • May 2021:American Express and Diners Club are banned from issuing new cards for violating the 2018 rules. It was the first time that the central bank issued sanctions against card network companies and payment operators in India due to non-compliance with the data storage norms.
  • July 2021:  Mastercard had been given multiple extensions to submit clarifications. The ban was enforced after the company requested another extension after the one till July 9 expired. 

The subsequent impact of the ban

The ban issued on July 22 prevented Mastercard from issuing new cards—debit, credit, and prepaid— to domestic customers. It did not affect existing customers. 

The ban impacted the capacity of banks such as RBL Bank and Yes Bank to issue new cards to their customers. RBL Bank said in a disclosure that it has started issuing cards on the Visa network. RBL Bank is the fifth largest credit card issuer in India with a five percent market share.

Yes Bank issues cards only on the Mastercard network, according to its website and information from Samsung Pay. The ban is likely to hamper its ability to issue new cards to prospective customers.

Also read:


Have something to add? Subscribe to MediaNama and post your comment

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ