India’s central bank to stop digital platforms from storing card details
The Reserve Bank of India (RBI) has published a set of “master directions” to stop online merchants, payment aggregators and e-commerce website from storing debit and credit card details.
As reported by Business Insider, from July this year, customers will either have to memorise their card details or keep their cards handy when shopping online.
“Web applications providing the digital payment products and services should not store sensitive information in HTML hidden fields, cookies, or any other client-side storage,” RBI’s circular read.
The central bank puts its decision down to an effort “to avoid any compromise in the integrity of the data”.
It will affect players as large as Amazon, Zomato, Google, PayTM, Netflix and Flipkart. A host of these firms have written to the RBI asking to be omitted from the incoming regulations.
India’s regulators are famously cautious when it comes to how firms store data. WhatsApp Pay finally landed the green light to launch in India last November, after delaying launch since its beta testing in 2018.
Regulators requested Facebook to host all payments data pertaining to Indian consumers in the country, as opposed to in the US. It also asked the Big Tech to keep Indian customers’ data separate from all other Facebook data.
In the name of security?
The RBI’s latest rules were anticipated by Indian IT lobby NASSCOM back in January. It pointed out how hard it would make basic functions such as complaint, refund, or dispute resolution.
The lobby group also suggested the regulator’s intentions didn’t necessarily match its actions.
“While it appears that these restrictions have been imposed for the purposes of ensuring security and fraud prevention, it is unclear as to how limiting data storage will achieve this purpose,” NASSCOM said.
India was second only to Japan in the number of cyberattacks faced last year across Asia Pacific. That’s according to an IBM report. India alone accounted for accounting for 7% of all attacks in the region.
This perhaps explains why the RBI is taking a cautious approach to data storage. As often, serious data breaches can compromise card details.
Though as NASSCOM also points out, the RBI could tackle this with stricter storage regulations. As opposed to an outright ban on storing data altogether.