wordpress blog stats
Connect with us

Hi, what are you looking for?

Mastercard looks to reverse RBI ban on issuing new cards in India with its latest audit report

The RBI guidelines that Mastercard failed to comply with, state that customer data, payment sensitive data, and transaction data have to be stored in India.   

We missed this earlier: Mastercard has complied with the local data storage norms laid down by the Reserve Bank of India (RBI) in 2018, the company informed MediaNama. The payments company added that it filed a new audit report on July 20 to notify the central bank of its compliance.

“When RBI required us to provide additional clarifications about our data localization framework in April, 2021, we retained government-empaneled Deloitte to perform a supplemental audit to help demonstrate our compliance. We have been in a continued dialogue with the RBI from April through the report’s submission on July 20, 2021,” Mastercard’s statement read. 

According to a Reuters report, the audit report was submitted after the RBI barred Mastercard from adding new domestic customers in India onto its card network on July 14. The report, citing sources, also said that the RBI was reviewing the new audit report. 

Why it matters? India has registered a sizeable growth in its payments ecosystem over the past few years. Despite this, major players like Visa and Mastercard had not made arrangements for the storage of payments information in India. According to the RBI, it is “important to have unfettered supervisory access to (payments) data to ensure better monitoring on a continuous basis.” A report in the Times of India explains that the central bank wants to insure itself against the possibility of losing access to data if payments services host it in another country.

Details of the RBI order mandating data localisation

In 2018, the RBI had issued the following directions after it observed that not all payments companies were storing data in India: 

Advertisement. Scroll to continue reading.
  • Entire data relating to payment systems must be stored in a system only in India 
  • Ensure compliance within a period of six months and report it to the RBI by October 15, 2018
  • Furnish the System Audit Report (SAR) by CERT-IN empaneled auditors by December 31, 2018

However, in June 2019 following concerns raised by the industry, RBI went on to clarify the guidelines:

  • The central bank elaborated on data that had to be stored in India mandatorily:
    • Customer data: Name, mobile number, email, Aadhaar number, PAN number, etc.
    • Payment sensitive data: Customer and beneficiary account details
    • Payment credentials: OTP, PIN, passwords, etc.
    • Transaction data: Origin and destination system information, transaction reference, timestamp, amount, etc.
  • The norms were applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors, and other entities in the payments ecosystem apart from all the payment system providers authorised by the RBI.
  • The central bank clarified that there is no ban on overseas processing of strictly domestic transactions but the data should be brought back to India within one business day or 24 hours of payment processing and be stored locally here.

What led to the RBI ban on Mastercard? 

A brief timeline precipitating the ban, according to a Reuters report:

  • April 2018: RBI conveys to all payments system operators in India to ensure payments-related data is stored within the country and gave the companies six months to comply.
  • October 2018: Mastercard starts storing data at a facility in Pune to comply with the guidelines but it still processes a part of each Indian transaction through data centres abroad, and later, transfers and stores that data in Pune.
  • April 2021: Sources informed Reuters that RBI was unsatisfied with a “system audit report” submitted by Mastercard’s auditor Deloitte. The audit was vague about the time Mastercard took to purge Indians’ card data that is processed abroad before being stored locally.
  • May 2021:American Express and Diners Club are banned from issuing new cards for violating the 2018 rules. It was the first time that the central bank issued sanctions against card network companies and payment operators in India due to non-compliance with the data storage norms.
  • July 2021:  Mastercard had been given multiple extensions to submit clarifications. The ban was enforced after the company requested another extension after the one till July 9 expired. 

The subsequent impact of the ban

The ban issued on July 22 prevented Mastercard from issuing new cards—debit, credit, and prepaid— to domestic customers. It did not affect existing customers. 

The ban impacted the capacity of banks such as RBL Bank and Yes Bank to issue new cards to their customers. RBL Bank said in a disclosure that it has started issuing cards on the Visa network. RBL Bank is the fifth largest credit card issuer in India with a five percent market share.

Yes Bank issues cards only on the Mastercard network, according to its website and information from Samsung Pay. The ban is likely to hamper its ability to issue new cards to prospective customers.

Also read:


Have something to add? Subscribe to MediaNama and post your comment

Advertisement. Scroll to continue reading.
Written By

I cover several beats such as crypto, telecom, and OTT at MediaNama. I will be loitering at my local theatre and consuming movies by the dozen when I am off work.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ