Should card data storage with merchants, payment aggregators and payment gateways be prohibited?


Should card data storage with merchants, payment aggregators and payment gateways be prohibited?, Renuka Sane, Ajay Shah, Bhargavi Zaveri, xKDR Working Paper 3, May 2021


In March 2020, the Reserve Bank of India’s guidelines on Payment Aggregators and Payment Gateways prohibited merchants from storing data on cards used by customers. This paper argues that a total prohibition on card data storage is problematic as it affects the ease of transactions for consumers, and effectively tilts consumer preference towards other payment instruments. This runs the risk of technological choices in the industry being made or substantially shaped by the regulator. The documents released lack a cost-benefit analysis of this prohibition and do not demonstrate that the chosen intervention is the best one. This raises concerns in the light of emerging Indian jurisprudence on the standards of regulatory governance to be met by statutory regulatory agencies. We show alternative approaches to address concerns relating data breaches of card information stored by consumers on websites. These include better security standards, tokenisation, and liability frameworks.


Research paper


In the public domain

Should consumers be restricted from storing their card data on the internet?
by Renuka Sane, Ajay Shah and Bhargavi Zaveri
The LEAP Blog,
26th May 2021