Mastercard has been forbidden from issuing new debit or credit cards to domestic customers in India due to ongoing violations of data storage rules.
The Reserve Bank of India (RBI) announced the indefinite ban will go into effect on 22 July 2021 following Mastercard’s continued non-compliance with data storage laws dating back to 2018.
As a rule, private companies access and—in many cases—monetise personal payment data from cashless transactions going back months or years as part of their business model. India’s data storage laws require all data on Indian payments to be stored within the country to allow regulators ‘unfettered supervisory access’.
Notwithstanding the lapse of considerable time and adequate opportunities being given, the entity [Mastercard) has been found to be non-compliant with the directions.
This development follows bans on American Express and Diners Club International beginning in April 2021 and stemming from similar violations. While these are relatively minor players in the payment arena, Mastercard is far more significant, accounting for over 400 million of India’s 900 million debit cards as of June this year.
Cashless payment providers operating in India are responsible for ensuring full end-to-end transaction details and customer information for a rolling period of six months are stored exclusively within India. The guidance—issued 6 April 2018—also requires a report of compliance to the RBI and the submission of an approved System Audit Report. These criteria have reportedly not been met by Mastercard.