In a series of moves in 2021, the Reserve Bank of India (RBI) indefinitely barred Mastercard, American Express, and Diners Club from issuing new debit, credit or prepaid cards to customers over noncompliance with local data storage rules. The business restriction allowed the firms to continue to serve their existing customers in the country. India lifted the ban on Mastercard in June 2022.
According to the official statement of the bank, in view of the satisfactory compliance demonstrated by American Express with the RBI circular on Storage of Payment System Data, the restrictions imposed on onboarding of new domestic customers have been lifted with immediate effect.
The resumption of American Express’ business in India should provide a boost to the local banks and fintechs that for over a year have been able to largely offer customers debit and credit cards powered by Visa and Rupay, a homegrown card network that is promoted by the National Payments Corporation of India, a special body of RBI.
Unveiled in 2018, the local data-storage rules require payments firms to store all Indian transaction data within servers in the country. Visa, Mastercard, and several other firms, as well as the US government, previously requested New Delhi to reconsider its rules, which they argued were designed to allow the regulator unfettered supervisory access.
This data should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered / transmitted / processed as part of a payment message/instruction.
The directions are applicable to all Payment System providers authorised/approved by the RBI to set up and operate a payment system in India under the Payment and Settlement Systems. The responsibility to ensure compliance with the provisions of these directions is on the authorised/approved Payment System Operators (PSOs) to ensure that such data is stored only in India as required under the above directions.
Upon the update that came into effect in January 2022, cardholders may have to enter their 16-digit card number every time they shop online as opposed to entering the one-time password (OTP) and card verification value (CVV).
The RBI is proposing another rule change that regards banning the storage of payment card numbers by online merchants, payment aggregators, and ecommerce websites. This decision has caused a lot of noise within the payments industry, with several players worrying that the customer experience might be affected. At the same time, tokenization has been brought into the discussion as a solution to the friction that might be added when entering payment details at the checkout.
RBI had also issued a final circular that made card tokenization mandatory from 1 January 2022. As per the latest country’s central bank guidelines, only card schemes and card-issuing banks have access to and can store cardholders data, while merchants and payment aggregators can keep the data only in a tokenized format.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now