Visa, Mastercard Moving Toward Data LocalizationWill Other Multinational Companies Follow Their Lead?
Global payment companies Mastercard and Visa say they are making progress toward storing all their data on Indians within the country and wiping out data related to Indian transactions that's stored overseas. The moves are an effort to comply with Reserve Bank of India's directive on data localization.
Last year, RBI, the nation's central bank, had directed payment system operators in India to store all their data domestically, with a deadline of Oct. 15, 2018. Many U.S.-based companies lobbied for RBI to relax the directive, but RBI has yet to come out with a new deadline. In the meantime, Visa and Mastercard are gradually moving toward overdue compliance.
Both companies hope to increase their market share in India after losing business last year to local rivals, including RuPay and the Unified Payment Interface UPI.
Some security practitioners and privacy experts in India say the moves by the two payment card companies could lead to data localization compliance by other multinational companies.
"The moves by Mastercard and Visa is a good sign in the right direction and will certainly help to convey a positive message to other companies," says Sandeep Arora, co-founder and CEO at CyberImmersions, a digital forensics and financial advisory firm.
Storing Data Locally
Executives at Visa tell Information Security Media Group that the company began the process of transferring data to India last year.
"We have been storing data locally since the first time RBI announced its decision," a spokesperson from Visa says. "Visa has always been committed to adhering to the regulations of the countries we operate in. In line with our unequivocal commitment to RBI, Visa is focused on ensuring compliance with the requirements for data localization. We are also working around the clock to decouple from our global architecture and are confident of completing this effort soon."
Mastercard says its process of deleting the overseas data of Indian transactions will be completed by the end of this year.
Vikas Varma, Mastercard's senior vice president of account management for South Asia, tells ISMG that the company is setting up a data processing center in Pune. The center will cost about $350 million, and Mastercard plans to invest a total of about $1 billion in India in the next five years, Vermal said.
An Important Market
India is an important market for many global companies.
Earlier this year, the National Association of Software and Services Companies reported that about 400 fintech firms operate in India, boosted in large part by foreign investments in start-up incubators.
NASSCOM predicts that India's fintech software market could reach $ 2.4 billion by 2020.
Despite repeated protests by companies and strong lobbying by U.S. trade bodies, RBI insisted the data localization move was essential to increase financial data security.
RBI made it clear that payment companies who do not adhere to the norms will not be allowed to operate in the country. For example, WhatsApp was not allowed to roll out its WhatsApp Pay service in India because it had not made any provisions to store data locally.
Backers of data localization argue that large multinational corporations can afford the expense.
"Technology and bandwidth areas are fairly advanced, and large multinationals like Mastercard and Visa use the latest solutions," Arora says. "It's not a complex process from a data transfer perspective. It's like a mini-project with relevant resources assigned to it along with interfaces built in with an India data center."
Rahul Sharma, founder of The Perspective, a firm which focuses on cyber policy, notes: "Moving specific data operations from one geography to another for legal compliance raises the cost of operations for businesses, especially starting operations where none existed before. The transition might be time and resource consuming, but once operations are set, it shouldn't be troubling."
One of the primary challenges of data localization is data identification.
"Data identification remains a challenge for most organizations, not only multinationals. There is a lot of unstructured information out there which are not easy to detect," says Maheswaran S, regional director, India and SAARC at TITUS, a cybersecurity firm.
Maheswaran suggests machine learning can play an important role in data identification. "Organizations can leverage machine learning, where they appoint data stewards for each business function and identify critical information which cannot be done through logic," he says.
Some security experts argue that for massive companies like Visa and Mastercard, complying with data localization requirements should not be a major challenge.
"The only issue was cost, which in the long run will even out," Arora says.