Business

mastercard ban: ‘Mastercard’s dual record maintenance led to RBI ban’

Mumbai: The Reserve Bank of India
forbidden Master Card Inc. from issuing a new card in India after it was discovered that the US-based payment company was storing customer data on servers located outside the country and also not deleting it from servers in the country In addition to trading data in India within 24 hours upon request, three sources with knowledge of the matter told ET.

The card network may also not comply with a request by the central bank of India to appoint a domestic auditor certified by the country’s cybersecurity agency — India Computer Emergency Response Team ( CERT-in) —to conduct its external compliance audit, the sources added.

“Part of the transaction data is being kept in India, but a significant part of the information related to transaction processing and fraud detection is going beyond the geographic scope. Effectively, it’s a dual-record maintenance, and that’s something the regulator isn’t okay with,” a senior bank official aware of the matter told ET.

In response to an ET query, Mastercard said it is continuously engaged with the regulator including submitting system audit reports on a regular basis and hopes to have an early resolution to the matter.

“When the RBI asked us for more clarifications about our data localization framework in April 2021, we asked a government-authorized audit firm to address those points. ,” said Mastercard. “That report was slightly delayed and was filed with the RBI on July 20, 2021. We hope that this latest filing provides the reassurance and insight needed to resolve the relationship. their mind and move towards a solution to the problem.”

The RBI did not respond. In a media statement last week, Mastercard said it was “disappointed” with the RBI’s stance and “fully committed to its legal and regulatory obligations” in India.

Central bank last week
impose regulatory restrictions on Mastercard from the introduction of new domestic debit, credit or prepaid customers on its card network in India from July 22. The regulator’s oversight action was due to “non-compliance with directions Guide to Payment System Data”. To be sure, these restrictions apply only to new Mastercard cards, not existing cards held by customers.

Under this regulation, all foreign payment operators store card-related data and customers must do so in servers located in India. RBI introduced this rule through a circular issued in April 2018. Under RBI regulations, foreign payment processors can transfer card storage data abroad for smoothing. process as long as this data is deleted within 24 hours.

“Mastercard’s inability to store payment data in India is something that has been flagged by the RBI,” said one person familiar with the matter. “Typically, for companies like Mastercard, there are powerful fraud risk tools that collate data from different switches around the world to prevent cloning or phishing attacks. between jurisdictions,” the person said, adding that Mastercard’s insistence on storing this data overseas. on the flip side of Indian regulations.

According to the person, Mastercard wants the external audit to be conducted by an overseas auditor appointed by the global entity. This person added, these terms have not been agreed by the RBI.

“A certain part of the data on processed transactions has been moved to India and Mastercard is using it as a defense, but the RBI wants the end-to-end to be stored locally in the country.” , a third source, who runs the payments industry, said.

“For their own internal fraud checks, Mastercard is sending a copy to their international servers to remove malicious transactions,” the person added.

Mastercard is registered as a Payment System Operator (PSO) authorized to operate the card network in the country under the PSS Act. Other top card networks in India include US based Passport and National Payments Corp of India’s RuPay. India has a total of 62.3 million credit and 902.3 million debit card in traffic.

The central bank of India has tightened data storage norms for PSOs in India through a notice sent to the executives of all such licensed companies in India. ET has a copy of the notice.

Under rules introduced in March, all PSOs from fiscal year 22 are required to submit a detailed “certificate of compliance” to the central bank twice a year, signed by chief executives. respective executive or executive officer, certifying compliance with all RBI regulations regarding the security and storage of payment data.

These requirements are higher and higher than those required by the central bank in April 2018, where it required all PSOs to submit an approved Annual System Review Report (SAR). approved by CERT authorized auditors.

These companies are also required to submit a one-time compliance report with data localization norms, where the data request related to payments in India will be stored in a server with present in this country before December 2018.

Also read:
RBI’s Mastercard ban could create monopoly in credit card market in India

RBI has requested the submission of these certificates by April 30 and October 31 of each year. The central bank’s decision to tighten data storage norms earlier this year also drew restrictions from US-based American Express and Diners Club for failing to comply with a similar rule.

Also read:
Decoded: How the latest RBI ban on Mastercard affects you bạn

According to industry sources, Visa and Mastercard together process a significant portion — more than 70% — of India’s credit cards. For debit card issuances, NPCI’s RuPay is arguably the largest card issuer. RBI did not disclose about the breakup.

https://economictimes.indiatimes.com/markets/stocks/news/mastercards-dual-record-maintenance-led-to-rbi-ban/articleshow/84625628.cms | mastercard ban: ‘Mastercard’s dual record maintenance led to RBI ban’

snopx

Inter Reviewed is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@interreviewed.com. The content will be deleted within 24 hours.

Related Articles

Back to top button