This article is more than 1 year old
India lets Mastercard issue new cards again
Compliance with onshore data storage laws took almost a year – far longer than India has given the rest of the tech world to comply with infosec changes
India’s Reserve Bank has lifted its ban on Mastercard issuing new cards within the nation.
The ban was imposed in July 2021 when the Bank (RBI) found Mastercard to be “non-compliant with the directions on Storage of Payment System Data”.
Those directions were issued in April 2018 and gave banks and payment systems six months to store “full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction” on Indian soil. If a transaction involved a foreign entity, replication of data offshore was allowed.
On Thursday the RBI announced that Mastercard had become compliant, so was allowed to resume issuing new cards in India.
India’s enormous size, and rapid modernisation, make it an attractive market. The nation’s increasing de-emphasis of cash payments – in 2016 it barred use of its highest-value banknotes in an effort to reduce corruption by making the cash economy deal with wads of smaller-denomination bills – also make it an important target for payments players.
Mastercard will be mightily relieved to have been allowed back in.
- Malaysia-linked DragonForce hacktivists attack Indian targets
- Infosys celebrates first birthday of glitchy Indian tax portal by fixing another bug
- BSA kicks multiple holes in India's infosec reporting rules
- Another VPN quits India, as government proposes social media censorship powers
News of Mastercard’s return came in the same week that a third VPN – this time, NordVPN – quit India because it feels compliance with the nation’s new infosec Directive requiring extensive logging and reporting of infosec matters is not possible.
The Directive, announced in April with compliance required on June 27th, call for verbose logging of users’ activities on VPNs or clouds, requires most entities operating in India to report adverse security incidents within six hours of their discovery, and even specifies which network time protocol servers it is permissible to use within India.
Local organisations and international lobby groups alike have pointed out the rules are problematic on grounds of privacy and the imposition of enormous compliance burdens that must be achieved within two months.
The Register offers that recap in light of Mastercard’s restoration: the giant credit card company had six months to become compliant with data storage requirements introduced in 2018 and almost three years later managed to end up on the wrong side of the law.
Good luck to all Indian readers working to meet the deadlines set in the Directive. ®