“Double registration by MasterCard led to RBI ban”

Mumbai: The Reserve Bank of India banned MasterCard Inc. from issuing new cards in India after discovering that the large US payment company was storing customer data on servers outside the country and not deleting the Indian portion of the transaction data inside the country on the foreign servers . 24 hours as agreed, three sources familiar with the matter told ET.

The card network may also have violated the Central Bank of India’s obligation to appoint a national examiner, certified by the country’s national cybersecurity agency, the Indian Computer Emergency Response Team (CERTin), to conduct its audit.
“Some of the transaction data is held in India, but a significant amount of the information related to transaction processing and fraud checking comes from geography. In fact, it is a duplicate record and the regulator disagrees with that, “a senior bank official with knowledge of the matter told ET.
In response to a query from ET, MasterCard said it has been working with the regulator on an ongoing basis, including regular Submission of audit reports from the system, and a speedy resolution expected. “
“When RBI asked us for additional clarifications on our data localisation framework in April 2021, we asked our state-integrated accounting firm to address these issues,” said MasterCard. “This report was somewhat delayed and was submitted to RBI on July 20, 2021. We hope that this latest filing provides the representations and knowledge necessary to address your concerns and reach a resolution on this matter.”

RBI responded In a press release last week, MasterCard said it was “disappointed” with RBI’s stance and was “fully committed to legal and regulatory obligations.”
Last week, the central bank imposed regulatory restrictions on MasterCard’s card network India to add new domestic debit, credit or prepaid customers starting July 22. The regulator’s oversight measure cited “Failure to follow payment system data instructions.” Of course, these restrictions only apply to new MasterCard cards and not to existing ones Customers have.

According to this rule, all must be out rural payment providers that store card and customer related data do so on servers that are physically located in India. The RBI introduced the rule in a circular from April 2018. Data storage abroad for smooth processing, provided this data is deleted within 24 hours.
“The inability of MasterCard to store payment details in India has been determined by the RBI,” said a person familiar with the matter. “Typically, companies like MasterCard have strong fraud risk engines that collect data from various switches around the world to prevent cross-border cloning or phishing attacks,” the person said, adding that MasterCard is insistent Saving data abroad is the best. on the wrong side of Indian regulations.

According to the person, MasterCard wanted the external audit to be performed by its external auditor hired by the global entity. Those terms were not accepted by the RBI, which claimed the curbs, the person added.

“Some of the data on processed transactions has been relocated to India and MasterCard is using it for defence, but RBI wants it to be stored locally in the country,” said a third source who is an industry executive in Payments. .

“For its own internal fraud controls, MasterCard sends a copy to its international servers to eliminate malicious transactions,” the person added.

MasterCard is registered as a payment system operator (PSO) authorised to operate a card network in the country under the PSS Act. Other leading card networks in India include the US-based Visa and National Payments Corp of India’s RuPay.There are a total of 62.3 million credit cards and 902.3 million debit cards in circulation in India.

The Central Bank of India had tightened the data retention rules for PSOs in India through a notice to the CEOs of all licensed companies in India. ET has a copy of the notice.

Under the rules introduced in March, all FY 22 OSPs were mandated to provide the central bank with detailed “Certificates of Conformity” twice a year, signed by the respective CEOs or CEOs to confirm compliance with all RBI regulations regarding the security and retention of payments Data.

These requirements are above those requested by the Central Bank in April 2018 when it asked all OSPs to submit an annual System Audit Report (SAR) approved by the board of CERT auditors.

These companies were also asked to provide a one-time compliance report with data localisation regulations requiring that payment data in India be stored on a physical server in the country by December 2018.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close