Should consumers be prohibited from storing card data on the internet?

Renuka Sane, Ajay Shah, Bhargavi Zaveri

In March 2020, the Reserve Bank of India's guidelines on Payment Aggregators and Payment Gateways prohibited merchants from storing data on cards used by customers. This paper argues that such a prohibition on card data storage impacts upon the ease of transactions for consumers, and effectively tilts consumer preference towards other payment instruments. This runs the risk of technological choices in the industry being made or substantially shaped by the regulator. The documents released lack a cost-benefit analysis of this prohibition and do not demonstrate that the chosen intervention is the best one. This raises concerns in the light of emerging Indian jurisprudence on the standards of regulatory governance to be met by statutory regulatory agencies. We show alternative approaches to address concerns relating to breaches of card information stored by consumers on the internet. These include better security standards, tokenisation, and liability frameworks.

Citation: Should consumers be prohibited from storing card data on the internet?, Renuka Sane, Ajay Shah, Bhargavi Zaveri, xKDR Working Paper 3, May 2021


In the public domain

Ajay Shah's interview, with Harsh Kumar and Mannu Arora, in The Economics Times,
17th August 2021
Did the central planning end in 1991?
by Ajay Shah
Business Standard,
12th July 2021
Should consumers be restricted from storing their card data on the internet?
by Renuka Sane, Ajay Shah and Bhargavi Zaveri
The LEAP Blog,
26th May 2021