December 17, 2018:
On Monday, Global card payments major Mastercard has proposed to the Reserve Bank a “certain” date from which it will start deleting data of Indian cardholders from global servers but warned that it would also mean the weakening of “safety & security” over a period of time.
In an interaction with PTI, Porush Singh, India and Division President, South Asia, MasterCard, said the company is operating in over 200 countries, and nowhere else it has been asked to delete data from global servers.
The Reserve Bank of India (RBI) in April issued a new regulation, which came into effect from Oct 16, requiring payments companies to store all information about transactions involving Indians solely on computers in the country.
Mastercard said all new Indian transaction data is being stored at its technology centre in Pune as of Oct 6, as required by the RBI directive on data localisation. It has given a proposal to the RBI to delete back data from a certain date but is wary of consequences of such a move, including disputes over transactions.
Singh said,”The proposal we have given (to RBI) is that we will delete it (data) from everywhere else, whether it is the card number, transaction details. The data will only be stored in India. we will start deleting that.”
He further said Mastercard has proposed to the RBI that Indian data would be stored locally and nowhere else. The senior Mastercard official, however, added that the company has also informed the central bank about the impact of data deletion.
Singh said,”But we have also said that it does have an impact.No other country has asked us like that. No other country in the world has asked us the data to be deleted from the global server and the reason why it is a concern for us because that would be weakening of the safety, security over a period of time.”
On if the company is seeking any reprieve in complying with the regulations, Singh said the company is planning with the dateline which it has submitted to the RBI.
He added, “I do not want to wait. As far as we are concerned, we have said this is the date earliest we can do. And this is going to be impacted in the longer term which you need to consider.”
When asked if the payments gateway was complying with the RBI directives, Singh said from October Mastercard has started storing a copy of the data.
“The date of (data) deletion (from global servers) is something which is not yet decided as we are waiting for the RBI to confirm back to us,” he said and added “we have proposed a certain date on which we will start deleting the data on a running/regular basis,” said Singh adding that deletion of data is not a simple process like “pressing a button”.
“This is because people can charge you, dispute the transactions, that all in process. It needs multiple players, multiple stakeholders. We have given them (RBI) a proposal and we are waiting for them to confirm back,” he said. When asked what would be the cost of data localisation, Singh said there will be “incremental cost”.
Data localisation requires data about residents to be collected, processed, and stored inside the country, often before being transferred internationally, and usually transferred only after meeting local privacy or data protection laws.