RBI on Thursday lifted the restrictions imposed on Mastercard Asia / Pacific Pte. Ltd, vide order dated July 14, 2021, from immediate effect. Last year on July 14, 2021, the regulator imposed restrictions on Mastercard from onboarding new domestic customers including debit, credit, or prepaid onto its card network for non-compliance with the RBI circular on Storage of Payment System Data.
As per the RBI circular dated April 6, 2018, foreign companies were also asked to submit a one-time compliance report with data localization norms which mandate the data relating to payments in India will be stored in a server physically present in the country, by December of 2018. The restrictions were imposed on Mastercard Asia / Pacific Pte. Ltd. from onboarding new domestic customers (debit, credit, or prepaid) onto its card network from July 22, 2021, for non-compliance with the terms of the above circular.
Background
As per the Storage of Payment System Data rule, all foreign payment operators storing card and customer-related data must do so in servers physically present in India. RBI’s payment system data rules are applicable to all foreign payment processors. They can transfer card storage data abroad for smoothing flow provided this data is deleted within 24 hours.
RBI had tightened data storage norms for PSOs (Payment system operators) in India through a notice issued to chief executives of all such licensed companies in India. According to the norms, all PSOs from FY22 were mandated to submit detailed “compliance certificates” to the central bank twice a year signed by the respective chief executives or managing director, confirming adherence to all RBI regulations around security and storage of payment data.
These requirements are over and above the ones mandated by the central bank in April of 2018 where it asked all PSOs to submit board-approved annual System Audit Report (SAR) by CERT-empaneled auditors.