“Notwithstanding the lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on Storage of Payment System Data,” the central bank said in its note.
Indian regulations require all foreign payment operators to store card and customer related data in servers physically located in the country.
Mastercard didn’t respond to ET’s queries.
The central bank had issued its data storage notice in April 2018, and given all system providers six months to enforce these norms. The central bank said that Mastercard’s existing customers won’t be impacted because of these restrictions.
“This order will not impact existing customers of Mastercard. Mastercard shall advise all card issuing banks and non-banks to conform to these directions,” said the central bank note.
Mint Road had taken a similar action in April against card scheme operators American Express and Diners Club. They were barred from onboarding new customers in India because of non-compliance with data localisation mandates.
Mastercard is registered as a Payment System Operator authorised to operate a card network in the country. Other leading card networks in India include US-based Visa and National Payments Corp of India’s RuPay. India has a total of 62.3 million credit cards and 902.3 million debit cards in circulation.
ET had reported in March that the central bank had tightened its supervisory norms for payment companies storing customer data in India amid a slew of cyber-security breaches at tech start-ups.
All payment system operators from FY22 were mandated to submit detailed “compliance certificates” to the central bank twice a year, confirming adherence to all RBI regulations around security and storage of payment data. RBI had asked these certificates to be submitted on April 30 and October 31 every year.
These requirements are over and above those mandated by the central bank in April of 2018, when it asked all payment companies to submit board-approved annual System Audit Reports (SAR) by CERT-empanelled auditors.
These companies were also asked to submit a one-time compliance report with data localization norms mandating that data relating to payments in India will be stored in a server physically present in the country by December of 2018.
“All System Providers were directed to ensure that within a period of six months the entire data (full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction) relating to payment systems operated by them is stored in a system only in India,” the central bank said in its circular on Wednesday.