RBI’s ban on new Mastercard cards could boost local data security in India

A 2018 rule requiring that customers’ payment data be stored in India was enforced against Mastercard, American Express, and Diners Club in 2021, as a strong signal India intends to keep customer data in local hands.

data security / padlock / binary code / digital display
Gremlin / Getty Images

In April 2018, the Indian central bank, RBI, issued the Storage of Payment System Data policy, which mandated that all system providers store data related to their payment systems only in India. Recently, RBI barred Mastercard from issuing new cards in India after finding out their customers’ data was located outside the country. Earlier, in April 2021, RBI barred American Express and Diners Club from adding new customers for six months due to their violation of the local data-storage rules.

Also, RBI will now regularly follow up on compliance and may impose similar bans or other penalties in case of lapses. For RBI, data security is nonnegotiable, and customer data is subject to the laws of the country in which it is collected or processed and must remain within its borders—India, in this case.

Implications for tech providers, IT organisations, and financial institutions

Mitali Nikore, an economist and founder of the analyst firm Nikore Associates, says, “In the medium term, setting up of local data centres can provide a fillip to the IT sector.” The need for local data centres is a consequence of the Storage of Payment System Data policy. “The draft Data Centre Policy is a welcome step in this direction. If implemented correctly, this policy and the data localisation regulation, the Storage of Payment System Data policy, can help India become a leading data storage and processing country,” she tells CSO India. Nikore advises advises public and private sector entities including the World Bank, Asian Development Bank, and UN Women.

With the development of local data centres, India can attain competitive advantage over others in terms of data management, Nikore says. This would further facilitate the development of data centre economic zones, promote IT R&D, and encourage adoption of global standards while also boosting local manufacturing for IT and non-IT related materials.

Nikore notes that the Mastercard ban also will help the local Indian payments provider Rupay. “It already has a commanding footprint in Tier 1 cities which can spill over to Tier 2, Tier 3, and perhaps even Tier 4 cities now. For instance, the linkage of the Jan Dhan Scheme with Rupay already provides it with a foundation of approximately 500 million to 600 million users, which it can grow without much competition.” The ban on new Mastercard cards could help other providers as well, she says. “We could witness the emergence of private players like Paytm as well. Perhaps, in the absence of Mastercard, these players can come up with bouquet payment services, such as Alipay in China.”

The ban on new Mastercard cards also affects existing bank customers, says Jaya Vaidhyanathan, CEO of risk-management technology provider BCT Digital. “The few banks who had their entire or majority of the cards on Mastercard would face challenges in payments, as the integration with the new network would take a few months. Additionally, for these banks, liability account acquisition will witness an adverse impact, as the debit card issuance will be affected.”

As you would expect, “Mastercard is also rushing in to comply with local storage requirements and be back in business,” Vaidhyanathan says.

Next steps for personal data protection in India

The Storage of Payment System Data policy is not the only government action to safeguard customer data in India. The Personal Data Protection bill introduced in 2019 set rules for personal data processing and storage, and listed people’s rights with respect to their personal information.

Data has become a crucial asset in the digital economy, according to Bharat Panchal, chief risk officer for APAC, and Middle East & Africa for global financial technology provider FIS.

“During the pandemic, India has seen a huge spurt in digital banking and thus we have become one of the most data-rich countries. Considering future data growth, the April 2018 regulation from RBI was very clear that all payments providers need to align with the data sovereignty laws of India, as they engage in business,” he says.

Given these existing laws and the stepped-up enforcement, as businesses are becoming more data-driven, they should take data protection seriously, Panchal says.

For example, IT specialists need to create systems and policies for dealing with data compliance. Also, companies should gain customers’ trust about their data is being protected and creating transparency, such as by update customers on their security and giving them options to opt out of data collection.

“Banks need to religiously comply these norms and also ensure that wherever their data flows, all their partners are also compliant,” Panchal says. “In long run, all sectorial regulators (SEBI, TRAI, IRDAI, etc.) may adopt similar regulations for secure data handling. While the transition to a digital economy in India is ongoing, the handling of personal data has already become ubiquitous. Hence a personal data protection law is needed on priority to administer the accumulation, storage, and processing of data by public and private entities.”

On the technology side, the pandemic made companies move towards the scalability and accessibility of cloud platforms to assist a fully distributed workforce. To support local storage requirements and do so securely, they can implement data sharding—a process which breaks up large data tables into smaller chunks, called shards, that are spread across multiple servers deployed in multiple locations in India. Storing data locally also reduces network latency and improves speed. Large corporates are bringing their own power generation and distribution capacities as well, which should reduce the cost of data centres significantly.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)