The Reserve Bank of India is causing stress for international credit card networks. The country is feverishly pushing RuPay, the domestic payment brand and as it does, India has an unusual mandate. The Economic Times reports that Mastercard and other brands have been directed to move all data onto servers located within India. Networks must also purge Indian transaction data from non-Indian based servers.
- In April the Reserve Bank of India issued a new regulation, which came into effect from October 16, requiring payments companies to store all information about transactions involving Indians solely on computers in the country.
- Porush Singh, Division President, South Asia, MasterCard, said Mastercard is operating in over 200 countries, and nowhere else it has been asked to delete data from global servers
- No other country has asked us like that. No other country in the world has asked us the data to be deleted from the global server and the reason why it is a concern for us because that would be weakening of the safety, security over a period of time,” Singh said.
The localization mandate is one thing, but the data purge is out of step with the rest of the world. Network resistance is based on keeping transaction data in a fluid environment for risk management purposes, not to isolate the data from the rest of the world.
The practice in Europe is that servers must be in Europe but backup data may reside abroad. Many firms pick Ireland, Germany, or France since Brexit will probably cause a shift from the United Kingdom.
Article 45 of the General Data Protection Regulation allows for the free movement of data. Although Personally Identifiable Information (PII) and servers must reside in Europe for that market, redundant data may be permitted outside of Europe provided the country has “adequate” data protection rules. That is workable for payment networks.
RBI’s recent announcement, for data to reside only in a specific country, accommodates the domestic RuPay payment scheme but emasculates the global n
For a deep dive on the Indian credit card market, see Brazil, Russia, India, and China: Payment Developments in the BRIC Countries ; for information on GDPR, please see General Data Protection Regulation: The European Union’s Cross-Industry Approach to Data Protection.
Overview by Brian Riley, Director, Credit Advisory Service at Mercator Advisory Group