wordpress blog stats
Connect with us

Hi, what are you looking for?

Mastercard looks to reverse RBI ban on issuing new cards in India with its latest audit report

The RBI guidelines that Mastercard failed to comply with, state that customer data, payment sensitive data, and transaction data have to be stored in India.   

We missed this earlier: Mastercard has complied with the local data storage norms laid down by the Reserve Bank of India (RBI) in 2018, the company informed MediaNama. The payments company added that it filed a new audit report on July 20 to notify the central bank of its compliance.

“When RBI required us to provide additional clarifications about our data localization framework in April, 2021, we retained government-empaneled Deloitte to perform a supplemental audit to help demonstrate our compliance. We have been in a continued dialogue with the RBI from April through the report’s submission on July 20, 2021,” Mastercard’s statement read. 

According to a Reuters report, the audit report was submitted after the RBI barred Mastercard from adding new domestic customers in India onto its card network on July 14. The report, citing sources, also said that the RBI was reviewing the new audit report. 

Why it matters? India has registered a sizeable growth in its payments ecosystem over the past few years. Despite this, major players like Visa and Mastercard had not made arrangements for the storage of payments information in India. According to the RBI, it is “important to have unfettered supervisory access to (payments) data to ensure better monitoring on a continuous basis.” A report in the Times of India explains that the central bank wants to insure itself against the possibility of losing access to data if payments services host it in another country.

Details of the RBI order mandating data localisation

In 2018, the RBI had issued the following directions after it observed that not all payments companies were storing data in India: 

Advertisement. Scroll to continue reading.
  • Entire data relating to payment systems must be stored in a system only in India 
  • Ensure compliance within a period of six months and report it to the RBI by October 15, 2018
  • Furnish the System Audit Report (SAR) by CERT-IN empaneled auditors by December 31, 2018

However, in June 2019 following concerns raised by the industry, RBI went on to clarify the guidelines:

  • The central bank elaborated on data that had to be stored in India mandatorily:
    • Customer data: Name, mobile number, email, Aadhaar number, PAN number, etc.
    • Payment sensitive data: Customer and beneficiary account details
    • Payment credentials: OTP, PIN, passwords, etc.
    • Transaction data: Origin and destination system information, transaction reference, timestamp, amount, etc.
  • The norms were applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors, and other entities in the payments ecosystem apart from all the payment system providers authorised by the RBI.
  • The central bank clarified that there is no ban on overseas processing of strictly domestic transactions but the data should be brought back to India within one business day or 24 hours of payment processing and be stored locally here.

What led to the RBI ban on Mastercard? 

A brief timeline precipitating the ban, according to a Reuters report:

  • April 2018: RBI conveys to all payments system operators in India to ensure payments-related data is stored within the country and gave the companies six months to comply.
  • October 2018: Mastercard starts storing data at a facility in Pune to comply with the guidelines but it still processes a part of each Indian transaction through data centres abroad, and later, transfers and stores that data in Pune.
  • April 2021: Sources informed Reuters that RBI was unsatisfied with a “system audit report” submitted by Mastercard’s auditor Deloitte. The audit was vague about the time Mastercard took to purge Indians’ card data that is processed abroad before being stored locally.
  • May 2021:American Express and Diners Club are banned from issuing new cards for violating the 2018 rules. It was the first time that the central bank issued sanctions against card network companies and payment operators in India due to non-compliance with the data storage norms.
  • July 2021:  Mastercard had been given multiple extensions to submit clarifications. The ban was enforced after the company requested another extension after the one till July 9 expired. 

The subsequent impact of the ban

The ban issued on July 22 prevented Mastercard from issuing new cards—debit, credit, and prepaid— to domestic customers. It did not affect existing customers. 

The ban impacted the capacity of banks such as RBL Bank and Yes Bank to issue new cards to their customers. RBL Bank said in a disclosure that it has started issuing cards on the Visa network. RBL Bank is the fifth largest credit card issuer in India with a five percent market share.

Yes Bank issues cards only on the Mastercard network, according to its website and information from Samsung Pay. The ban is likely to hamper its ability to issue new cards to prospective customers.

Also read:


Have something to add? Subscribe to MediaNama and post your comment

Advertisement. Scroll to continue reading.
Written By

I cover several beats such as Crypto, Telecom, and OTT at MediaNama. I can be found loitering at my local theatre when I am off work consuming movies by the dozen.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ