Recently, Mastercard was barred by the central bank from acquiring new credit card customers for not complying with the data storage rules; American Express too had faced similar restrictions.
Given the risks associated with merchants storing credit card details of consumers, RBI is taking the right approach in wanting to disallow this. The central bank is understood to have turned down a demand from payment gateways (PG) who want the forthcoming set of rules relating to credit transactions to be easier on customers. But, while it may be inconvenient to enter a 16-digit card number every time one carries out a transaction—as opposed to simply authenticating it with the CVV and an OTP—the central bank is right in putting safety above convenience. After all, details of the customers’ cards are being stored in the servers of merchants that are vulnerable to breaches. Personal information could be stolen and sold without the regulator being able to do much about it since it can’t really assert its authority over the merchants.
In fact, in the soon-to-be finalised rules, RBI puts the onus on Payment Aggregators (PA) to make sure the merchants to whom they are providing the payments aggregation services are not saving the customer card and related data. To be sure, suggestions that alternative technologies beyond encryption, through tokenisation be explored, are valid. However, until the technology is a proven one, it is best to err on the side of caution. The servers and data centres of PGs and PAs must be located within India. Authorized card operators will be allowed to store card details to enable them to process redressals and chargebacks but the use of this data is limited.
Regulations on the storage and use of data might seem stringent, but the risks of being lenient are too high. Recently, Mastercard was barred by the central bank from acquiring new credit card customers for not complying with the data storage rules; American Express too had faced similar restrictions. Until pacts are in place—Bloomberg reported recently the US is working to streamline rules for cross-border exchange of data and proposals are under consideration for a digital trade deal with economies in the Asia-Pacific region—data must be stored locally.
For the moment, though, the rules will understandably be onerous on foreign companies who must decide whether the costs of falling in line, so as to be able to run a business in India, are worth it. RBI, for its part, must continue to do what it feels is in the best interests of preventing money laundering and safeguarding the system from other malpractices. It is not just India, other countries in the Asia Pacific region also insist data be kept locally, with no copies in another country. If the data is sent out for processing, it needs to be brought back within a specified time. In India, other regulators too have put in place strict norms to ensure data is stored safely. IRDAI, for instance, has restricted outsourcing of some functions like banking, legal and courier services by insurers and insists all original policyholder records be maintained in India. MeitY has made it compulsory for government departments that provide cloud services, to pencil into their contracts, conditions that mandate storage of data and computational results within the country. Allowing data to escape overseas is not desirable.