Following the demonstration of “satisfactory compliance” with the data localisation norms, the Reserve Bank of India (RBI) on November 9 lifted the restrictions imposed on Diners Club in April, allowing the company to restart onboarding new credit card customers in India.
Although Diners has a paltry market share in India’s credit card space, its compliance with the regulations currently makes it the only other international card issuer in India along with Visa because both, American Express and Mastercard, continue to be under the RBI’s restrictions.
MediaNama has reached out to Diners Club and HDFC Bank, which is the sole issuer of Diners Club cards in India, asking details on when they will start reissuing cards and the proposed plan to make up foregone market share. We will update this report once we receive a response.
American Express and Mastercard are still under restrictions
At the time, an American Express spokesperson told MediaNama that the company is in regular dialogue with RBI about the data localisation requirements and has demonstrated its progress towards complying with the regulation.
Meanwhile, Mastercard in August said that it has complied with the local data storage norms laid down by the RBI and has filed a new audit report:
“When RBI required us to provide additional clarifications about our data localization framework in April, 2021, we retained government-empaneled Deloitte to perform a supplemental audit to help demonstrate our compliance. We have been in a continued dialogue with the RBI from April through the report’s submission on July 20, 2021,” Mastercard’s statement read.
The restrictions on Mastercard resulted in many banks shifting to Visa, including RBL Bank and Yes Bank, which used to solely rely on Mastercard. The issue also reportedly irked the US government and a senior US trade official termed the move as “draconian.”
In an issue unrelated to data localisation, RBI had also barred HDFC Bank from issuing new cards in December 2020 but lifted this restriction in August this year.
What are the data localisation norms of RBI?
In April 2018, the RBI had issued the following directions after it observed that not all payments companies were storing data in India:
- Entire data relating to payment systems must be stored in a system only in India
- Ensure compliance within a period of six months and report it to the RBI by October 15, 2018
- Furnish the System Audit Report (SAR) by CERT-IN empanelled auditors by December 31, 2018
However, in June 2019 following concerns raised by the industry, RBI went on to clarify the guidelines:
- What data should be stored in India? The central bank elaborated on data that had to be stored in India mandatorily:
- Customer data: Name, mobile number, email, Aadhaar number, PAN number, etc.
- Payment sensitive data: Customer and beneficiary account details
- Payment credentials: OTP, PIN, passwords, etc.
- Transaction data: Origin and destination system information, transaction reference, timestamp, amount, etc.
- Applicable to: The norms were applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors, and other entities in the payments ecosystem apart from all the payment system providers authorized by the RBI.
- Data processed outside: The central bank clarified that there is no ban on overseas processing of strictly domestic transactions but the data should be brought back to India within one business day or 24 hours of payment processing and be stored locally here.
- Leaked Emails Reveal US Government Irked By RBI For Its Ban On Mastercard: Report
- Visa Has Fully Complied With RBI’s Data Localisation Mandate: Report
- Tamil Nadu Government Plans To Apply For Payments Bank License: Report
- RBI Allows Card On File Tokenization In Relief To E-Commerce Companies
Have something to add? Post your comment and gift someone a MediaNama subscription.