“In view of the satisfactory compliance demonstrated by American Express Banking Corp. with the circular on Storage of Payment System Data, the restrictions imposed on on- boarding of new domestic customers have been lifted with immediate effect,” the central bank said in a notification.
Last year, the RBI had barred three US-based card networks – MasterCard, American Express and Diners Club International – from issuing new cards in India as these companies were perceived to be noncompliant with local data storage rules. The ban on MasterCard was lifted in June this year while the restrictions imposed on Diners Club were lifted last year in November.
As per RBIs rules, all foreign payment operators storing card and customer related data must do so in servers physically present in India. This rule was introduced by the RBI through a circular issued in April 2018. The rules give the latitude to foreign payment processors to transfer card storage data abroad for smoothing flow, provided this data is deleted within 24 hours.
All card issuers were mandated to submit detailed “compliance certificates” from FY22 to the central bank twice a year, confirming adherence to all RBI regulations around security and storage of payment data.
These requirements are over and above those mandated by the central bank in its 2018 circular, which asked these companies to submit board-approved annual System Audit Report (SAR) by CERT-empaneled auditors.
These companies were also asked to submit a one-time compliance report with data localization norms, which mandated data relating to payments in India to be stored in a server physically present in the country by December 2018.