India Bans Mastercard From Adding New Customers

Reserve Bank of India has indefinitely barred Mastercard from issuing new debit, credit or prepaid cards to customers in the South Asian market over noncompliance with local data storage rules. TechCrunch reports: The South Asian market's central bank said the new restrictions will go into effect on July 22. "Notwithstanding lapse of considerable time and adequate opportunities being given, the entity has been found to be noncompliant with the directions on Storage of Payment System Data," RBI said in a statement Wednesday. The new order won't impact existing customers of Mastercard, which is one of the top three card issuers in India, RBI said. "Mastercard shall advise all card-issuing banks and non-banks to conform to these directions," it said. This isn't the first time India's central bank has penalized a firm for noncompliance with local data-storage rules, which were unveiled in 2018 and mandated compliance within six months. The rules require payments firms to store all Indian transaction data within servers in the country. In April, RBI restricted American Express and Diners Club from adding new customers, citing violation of the same rules.

Fetters are for the weak.

[Ostracus]

Visa, Mastercard and several other firms, as well as the U.S. government, have previously requested New Delhi reconsider its rules, which they have argued are designed to allow the regulator “unfettered supervisory access.”

It's so obvious I don't even need to point it out.

What about derived data?

[presidenteloco]

Like if Mastercard wants to train AI against all its transactions worldwide.

Do these laws say: "F U you can't combine Indian data with other data in some analysis server elsewhere, even if you have a copy of the data on India-resident servers?"

Does the law say this data shall ONLY be stored on India-resident servers, or just that a copy shall be stored there?

Re:What about derived data?

[IcyWolfy]

The law is "Must be stored and processed only in India"

> Do these laws say: "F U you can't combine Indian data with other data in some analysis server elsewhere, even if you have a copy of the data on India-resident servers?"
Yes. The data must not leave the country.

> Does the law say this data shall ONLY be stored on India-resident servers, or just that a copy shall be stored there?
Yes. The word "only" is included.
Chatper 7 of the law covers the limited cases in which data may be processed out-of-country, with approval from the central government, and opt-in approval from each person whose data is to be processed. The processing must be done in a region with laws compliant with requried protections outlined in the bill.

Ref: https://www.lawfareblog.com/ke... [lawfareblog.com]
Bill Text: https://drive.google.com/file/... [google.com]

Re:

[Xylantiel]

That really appears to just say it has to be approved. Like "it's prohibited unless we allow it." Seems like an extortion clause to me where the Indian government just gets to choose who meets their conditions and who doesn't. My reading is that these are not "limited cases", they just have to be approved to satisfy certain security and legal jurisdiction conditions which seem open to interpretation.

Re:

[arglebargle_xiv]

Can someone with knowledge of Indian politics comment on whether this law is an attempt to keep Indian PII within India rather than exporting it to the US, or just an attempt to something something Indian government something?

Re:

[mungtor]

Certainly not an expert on Indian politics, but I think it's twofold. It is an attempt to keep Indian PII within India, but I believe that the Indian government also gave themselves the rights to access any data stored within their borders. IIRC, there have been incidents where the government demanded encryption keys (Blackberry for one, not sure on others) to make sure they have access.

So it probably is an effort to keep Indian PII in India - where the government can more conveniently troll through it

Diners Club?

[bobstreo]

Is Diners Club even still a thing? Seriously.

As far as MasterCard goes, I'm pretty sure their holdings are more valuable than the total income of India.

Re:

[Darinbob]

The first rule of Diners Club is that you don't talk about Diners Club. Especially not with the hoi-polloi.

Re:

[martiniturbide]

In Ecuador, Diners Club is a big thing !!! :)

Re: Diners Club?

[monkeyFuzz]

I'm pretty sure you're misinformed. First, Mastercard's 'holdings', whatever you mean by that have no bearing on their obligation to follow the laws of the country they endeavor to do business in. Second, even if one assumes market capitalization is what you meant, you'd be off close to an order of magnitude. As of today Mastercard's market cap is 387B whereas Indian GDP was 2.62T in 2020 https://tradingeconomics.com/i... [tradingeconomics.com]

What about conflicting attributions?

[Arethan]

An EU citizen buys a bottled water from a store while traveling in India, pays with their EU issued Mastercard...

The rules require payments firms to store all Indian transaction data within servers in the country

I guess we'll just keep pretending corner cases like these don't exist.

Re:

[jobslave]

It's just typical politicians creating rules when they know nothing about how anything actually functions.

Re: What about conflicting attributions?

[Aristos Mazer]

In such cases, MC can pay the bill from accounts it holds within India, transfer its own funds from abroad, then debit the EU account. There are ways to comply and keep the Indian accounts entirely on Indian servers. It might make it impossible for the EU citizen to reverse the transaction.

Re:

[djinn6]

That works until the EU decides all transactions involving EU citizens must be stored and processed in the EU (which might already be the case but IANAL).

Re:

[Richard_at_work]

Then debit and credit cards stop working across jurisdictions - the international banking network ceases to exist.

Re: What about conflicting attributions?

[Aristos Mazer]

Or until we start signing international treaties on data privacy.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Arethan]

Sorry, but it's actually both EU and Indian. The attribution is a merger of both the payment card and the merchant account. Accounting systems are built to be cross referential. You can't have a successful double entry transaction without debiting the payment card account ledger and subsequently crediting the merchant account ledger.

Covid?

[galabar]

Shouldn't India be more focused on things like Covid, feeding people, etc., rather than whether or not KFC can open a store or MasterCard can add more customers?

Re: Covid?

[Aristos Mazer]

A government is large enough to focus on multiple things at once.

Re:

[ami.one]

And which country should NOT be more focused on Covid ? :) :)
Australia ? UK ? All the EU ones ? Japan? Singapore? USA?

Making excuses for large corps, or anyone for that matter, flouting the law, is a very slave mentality complex.

I can understand if you object to a homeless guy being asked to follow some law or a struggling startup being hit with red tape or taxes etc. But even you can't flout the law you don't agree with. That's a very basic concept. Most people know it.
Even if you are not "aware' of a law

Control

[stikves]

It is about control.

If your financial data is contained in the country, then your ability to use those finances are also limited to that country's rules. This might sound nice, but as we move to a "cashless" future, more government control without civilian oversight = more potential for abuse, at least life altering mistakes.

Sure, what a citizen does abroad is probably not the government's business. But it is not the big issue here. Even with the best rules, the workers who have access to data are prone to