Hacker News new | past | comments | ask | show | jobs | submit login
India bans MasterCard from adding new customers (techcrunch.com)
215 points by Garbage 65 days ago | hide | past | favorite | 171 comments



The obsession with where data physically sits at rest is so amusing to me. Not limited to overzealous governments and financial data; healthcare is singularly obsessed with this. It makes no sense whatsoever, of course. I'd much rather store properly encrypted personal information or financial data in North Korea than storing it unencrypted in my home country.

I would understand if they demanded both storage and processing be done in India. Then it's just about control, and the ability to sever MC's India operations from the mother ship in case things go really sour and the US tries to cut India off from the global financial system or something. But since it's just about data at rest, it's nonsensical.

Or am I missing something?


India wants data residency because it wants to apply its own somewhat unique approach to law enforcement to all digital data — financial and otherwise.

This is a country that switches off mobile data (3G and 4G) at the drop of a hat[1], and switched off an entire state’s mobile Internet access for 18 months[2].

This may appear unnecessary and capricious to some especially in the West. However I’m sure pro-Indian government commenters will say “we’re sovereign, our government can do as it likes as it has a democratic mandate” and that is of course true. And that is, in my view, the driver for India’s interest in data residency. Its laws allow its government an enormous degree of latitude to do what it likes. When it has to access foreign data it is often thwarted by EU or US privacy & legal rules, which it feels is unbecoming of a nation as geopolitically important as India.

What I feel about this is that of course India has the sovereign right to do as it pleases, but its messy, adhoc approach to digital governance won’t win it any laurels and will actually tarnish its reputation. Also, it would be on a much better footing if it passed a decent law on digital privacy, which many have been saying is long overdue — leading to a flourishing unregulated economy in selling Indians’ data[3].

[1] https://www.bbc.co.uk/news/world-asia-india-50819905

[2] https://techcrunch.com/2021/02/05/india-is-restoring-4g-inte...

[3] https://restofworld.org/2020/all-the-data-fit-to-sell/


To expand on this a bit, if you want leverage over companies like MasterCard, Visa, and American Express, it definitely helps to have the data in your jurisdiction. As you noted, they will shut off mobile internet to support the state. If Visa decides that it doesn't want to give the government data on someone's transactions, it helps to have that data in the country.

"Oh, but the data is encrypted." Sure, but the country could literally seize all of the servers and shut down the payment processor. "Hey, American Express, if you don't give us the data we want, we'll simply take your whole payment network offline."

It's a lot harder to pressure a payment network when you don't have physical control - especially if that payment network can challenge you in court. It's easy for the government to shut off mobile networks that are physically present. It's harder for the government to stop traffic from routing to a payment processor whose servers are outside of the country - especially if they have a half-decent security/threat team ready to avoid blocks.

I don't know the laws of India, but it seems likely that the Executive has a certain amount of discretion that can be challenged. However, it's a lot harder to challenge that discretion if your business is offline for a year while you challenge it. Payment processors need to comply with local laws, but if you're a country where the Executive doesn't mind disrupting services, that gives them a huge amount of leverage to get your compliance beyond local laws. If the data is hosted outside of India, it's a lot easier to to simply comply with the laws rather than the laws plus whatever the Executive thinks they can claim the laws support.

Ultimately, if the data is stored within India, the Indian government can be an existential threat to their business in the country beyond what the law allows. A company will hand over data rather than seeing its servers seized for a year while a trial ensues. During that year, they'd lose all their customers to competitors and they'd be shut out of the market. Likewise, what if the government "accidentally" damages the data when they lose the trial? If you have 100M customers in a country and each is carrying a balance of $100, that's $10B that people owe. If the government has seized all those records and then damages them, your business is in a lot of trouble.

Data residency gives a government willing to bully companies a lot of power. It's simply a lot harder to access information stored abroad and you have a lot less leverage.


India is fast turning into an Oligarchy where a few have all access. Indian government itself has been involved in selling the data of its citizens to private corporations. https://economictimes.indiatimes.com/industry/auto/auto-news...


> Data residency gives a government willing to bully companies a lot of power. It's simply a lot harder to access information stored abroad and you have a lot less leverage.

You have no clue how much uncontrolled power Indian government has today. This law is brought in to benefit telecom companies and real estate companies. https://www.business-standard.com/article/companies/hiranand...


This argument is tenuous at most. Just because some companies are setting up data centers does not mean that Govt is deliberately forcing data residency to aid them.

It is ok for Europeans to insist on data residency within their shores but not for India? It is ok for Americans to insist on no data to be hosted in Chinese servers but not India?


Still not really buying the physical control of data argument. If you need to force a company like MC to comply, you can always solve that problem at the point of sale, or (like they're doing right now) stop banks, which are firmly under your jurisdiction, from issuing cards. A company will hand over data rather than be banned from operating in the country, just the same.

The amount of leverage you have with data being abroad is approximately the same - you can decree that your financial institutions or businesses are committing a crime when transacting with said company, and that is all.


As far as I can tell, there's a fair bit of difference between "decreed a crime" and "we've backed up a truck to the DC, and physically seized your data, do as we say if want it back"


What is the long- or medium-term difference, to a company like Mastercard? They want to earn profits in India, they have to comply with the Indian government's demands. Case closed.


> And that is, in my view, the driver for India’s interest in data residency.

I thought you were going to go further with that thought. I'm from an African country where the government tried to block social media during protests at DNS level. These efforts were trivially thwarted by using VPNs. The next trick was to cut off the internet entirely - unfortunately for the government, this broke electronic payments and ground the economy to a halt, so the internet blackout lasted a day.

I suspect one of the factors is that India wants to be able to cut itself off from the internet without breaking (payment) systems that have data stored offshore.


>What I feel about this is that of course India has the sovereign right to do as it pleases, but its messy, adhoc approach to digital governance won’t win it any laurels and will actually tarnish its reputation. Also, it would be on a much better footing if it passed a decent law on digital privacy, which many have been saying is long overdue — leading to a flourishing unregulated economy in selling Indians’ data[3].

You seem to be on a general critique of Indian policy, and also applying it to this specific case. If we untangle those two for a moment, what exactly is messy, adhoc about this financial data residency requirement? It seems logical to me that local financial data should remain local for legitimate legal reasons (supervision of fraud/criminality being the most obvious ones). Why would this tarnish their reputation?


> leading to a flourishing unregulated economy in selling Indians’ data

At risk of being incredibly inflammatory - this is the first I've heard of bulk Indian citizens' data being worth enough to harvest in the first place - what's changed?


You can see datasets purporting to be, for instance, details about students appearing for various Indian competitive exams for as little as $50-100[1]. Other datasets are costlier, of course.

If you're marketing to that demographic (e.g. potential ads for private colleges, or other courses), your budget won't be super high, but you might well spend a little for a bunch of emails of potential leads.

[1] https://www.reddit.com/r/india/comments/63s18q/student_data_...


All data is capable of being decrypted somewhere. Usually where you are storing it. Otherwise you can't do anything with it.

Storing data encryped in north korea, with the capability to fetch and decrypt that data in Sweden, is approximately equivalent to storing the unencrypted data in Sweden (as far as hackers, law enforcement, etc. are concerned), except you've now added the additional risk that north korea only needs to exfiltrate one encryption key to gain access to all your data.

More reasonably, if you're storing the data in north korea, that's also where you have the compute, and therefore the decryption keys, and therefore someone in north korea who knows what they are doing can quitely steal the decryption keys, make a copy of your data, and view all the data unencrypted.

Encryption is only foolproof(ish) when you are sending data between two trusted endpoints. That's not the case for the cloud, the place you are storing the data is also almost always one of the "trusted" endpoints. Encrypting the data at rest has some minor benefits (being a hurdle to accessing the data, meaning that theft of a single hard disk doesn't get data) but doesn't provide any form of unbreakable security.


Usually where you're processing it, not where you're storing it. That's when you need to do something with it.

Encrypting the data at rest has the major benefit of making its physical location completely irrelevant. Transmitting the data while encrypted has the major benefit of making the physical location of all the nodes through which it passes completely irrelevant. Hence the only thing that matters is the geographic location of where the data is processed, because that is where you decrypt it. All privacy laws should be written with that understanding, but they are not. They are written by people who are ignorant of this simple logic, because they don't understand how Internet works, how encryption works, how routing traffic works and how little it has to do with borders of countries, etc etc.

Healthcare privacy laws in my country, for example, have this exactly 100% backwards. They force me to store data in my country, but say nothing about where it is processed. And of course there's no hard requirement to encrypt data at rest. It's hard to imagine how you can get this kind of law more wrong.


Physical location and encryption should be treated as two independent protection requirements, both of which have to be met. Just because something is encrypted doesn't mean it is protected, we already have a few encryption schemes that are no longer considered secure and even if you cannot crack a scheme right now there is always the weak link[1] in the chain.

[1]https://xkcd.com/538/


If you used an encryption scheme that is no longer considered secure, the correct response is not to rely on the fact that the server room is under lock and key and your country has, like, really nice laws and stuff. It's to change the encryption scheme.

The XKCD cartoon is another way of stating (part of) my point - it doesn't matter where the stuff is stored (provided you encrypt it properly), what matters is the point at which it can be accessed. A dead owner's encrypted iPhone in the FBI forensics lab is more secure from intrusion by the FBI than an unencrypted hard drive I locked in my basement. Even if I use, like, 10 locks, and they don't (yet) know it's there.


I think the point the parent comment was trying to make was, consider if you are storing data in North Korea; it’s 2010 and your encryption scheme is considered secure.

At some point, North Korea has copied the encrypted data for later data mining.

In 2021 that encryption scheme for some reason is no longer considered secure. Even if you stepped using it in 2014, the data from the time you used it up until you stopped may be compromised.


Only compared to an unencrypted hard drive locked in an American basement.

An unencrypted hard drive stored in a locked Chinese basement is probably quite a bit more secure from FBI intrusion than the encrypted iPhone that they physically possess.

Physical access still matters a lot.


Storing data encryped in north korea, with the capability to fetch and decrypt that data in Sweden, is approximately equivalent to storing the unencrypted data in Sweden

Not if there is rate limiting, or other means of preventing the entire set of data being dumped. That is to say, storing it encrypted makes it harder to get the full set of data. Though, I guess in practice the client application would likely be able to request all of the data from storage.


And the whole point of cornering data at rest is that your client can "no longer access it". It's not about the authorities being able to decrypt that data. It's about hurting your business by making it difficult to continue operations.


No, I can store encrypted data in North Korea without storing any decryption keys there.

I run a Filecoin node and I store the data of approximately 200 clients in my homelab. I don't know who they are, or what they store, because it's all end to end encrypted.

And no -- my clients don't trust me, it's crypto, it's trustless :)


> I'd much rather store properly encrypted personal information or financial data in North Korea than storing it unencrypted in my home country.

What do you mean by "properly encrypted"? MasterCard is not going to let you be the sole holder of your encryption keys. And if you aren't holding them, then they they hold it, and then they must be holding in at least one given country. And that country has the power to force them to turn these keys over.

The power to do this is the goal of this game.


That country already has the power to force them to turn these keys over (or use the keys to decrypt data of interest). Every non-tax-haven country which regulates its financial sector does (so, every country). It's unclear what is added by forcing them to store data locally.


In most cases you can't easily tell that company to hand over data that is held in another country though.


From my understanding (I could be wrong) and why I have to follow all these rules here in Canada, is the USA made a homeland security law in like 2007 that said law enforcement can have access to any foreign individuals data without a warrant/good reason.

So now when picking services I am not allowed to host on any non Canadian servers if we are hosting personal information about staff/users etc. It can be a simple event registration system, survey, or just having to be really careful when using cloud services. I even have to watch out when sharing a innocuous file over Slack.

This really sucked when stuff was moving over to cloud and we wanted to use a lot of hot new stuff, but most providers get it now and provide Canadian servers so not as bad finding compliant vendors.


Ultimately, isn't it the owner of the server who's targeted by the laws? Where the server is really doesn't matter that much.


One thing is that usually the local server would be owned and managed by a local subsidiary of that foreign company - it may even be a requirement, to have them be run by a local company (even if fully owned by a foreign entity) with local responsible officers.

Another issue is establishing jurisdiction; if the server is held locally, then it's clear that local laws apply to things done on that server - the owner of the server can't claim that they e.g. got a US subpoena and did some stuff in USA that fulfills all the USA legal requirements and everything that's it; if the server was physically located in e.g. Canadian soil, then it means that the violation (if any) happened "in Canada" even if it was done by USA-located USA citizens of USA company.


Forcing the data to reside in India. Forces companies to build data centers (jobs) in India. Forces the deployments to be in India. And drives benefits to the local players over international bodies.


Yeah, I suspect that is the logic, such as it is. Quite unburdened with an understanding of how trade works, and seemingly susceptible to the greater fool theory of trade - I'll do it because I'm so smart, but that guy over there won't, and my companies will reap benefits. Not for long.


The Chinese great firewall, even though it is primarily to not allow info flow from outside, one benefit has been that, a lot of the internet companies that operate in china have been local and they were able to develop without any competition from western players. This has benefited china and its companies. But in the rest of the world its mostly the SV companies who rule the roost.

There are bith advantages and disadvantages to protectionism I feel.


Will you always be able to access your data stored on North Korean soil?

Sure, if it's properly encrypted, the North Korean government may not be able to access it, but nothing's stopping them from cutting you off and holding your data hostage.

I used to work for a company that made software for casinos. Many of them were on tribal land, and refused to use any cloud services because they didn't want any of their data on American soil. All their software was on-prem, all their data was on-prem. If Uncle Sam came a-knockin' with warrants and court orders, they'd tell him to take it up with the tribal elders.


Well, I wouldn't necessarily only store it on North Korean soil.

Raw data we use for image processing at work (we will miss it if it's gone) is stored in three locations: server room, another server room in a different building, and on the cloud. Properly-as-of-2021-encrypted, of course.

Unless we really fuck something up with securing our storage servers or running a script that accidentally wipes it all at once, it's really hard to imagine a scenario under which all of that is gone at once.

If the cheapest and most reliable cloud storage provider was in North Korea, the only reason I wouldn't use them is the reaction I'd get from Very Important Privacy Peoples when they hear of it. (And also because I don't want to fund a criminal totalitarian regime responsible for sending people to the Gulag).


The obsession with physical data residence comes from the physical nature of government’s power: the ability to apply violence within its borders. The Indian government wants as much data (and encryption keys) inside Indian borders as possible because it can send in guys with guns to take it whenever they want.


Providing guys with guns is the primary purpose of any government.


> It makes no sense whatsoever, of course.

Silent, bulk, state-mandated surveillance.

Both for the at-home surveillance, as well as to counter the effect of storing it elsewhere, and permitting that state silent, bulk surveillance of the data of your own subjects/citizens.


> I'd much rather store properly encrypted personal information or financial data in North Korea than storing it unencrypted in my home country.

How about it gets encrypted same way in North Korea or South Korea. Which one would you prefer?

What if North Korea says it is properly encrypted and gov has no easy access, but we all know that could be just as well wrong?

The U.S. Not exactly enjoys a lot of trust internationally when it comes to customer protection and privacy.


>How about it gets encrypted same way in North Korea or South Korea. Which one would you prefer?

Whichever is cheaper and/or more reliable. If I trust encryption, all other answers are bogus.

>What if North Korea says it is properly encrypted and gov has no easy access, but we all know that could be just as well wrong?

In this scenario, I decide how to encrypt my data. The storage service is just dumb disk space for me to rent. Call it The People's Democratic B2. Otherwise, it's not really secure no matter who gives you assurances.


I doubt it would be an option for MasterCard that countries get to decide how they encrypt the related data. But I get your point :)


I have been a party to some discussion around the laws with mid level government officials and this was a bit like an episode of Yes Minister.

One of the government consultants spoke about "Data sovereignty". When someone asked what it meant he spoke for like 10 minutes without actually answering the question. "Data of Indians must belong to Indians", "Data is the gold of modern world" he then referred to various international reports without actually telling what those reports say.

"We must protect our citizens data" one official said as others nodded in agreement. What they imagined here (I think) was data sitting on a hard drive and protected by people with guns creating a parameter around it.

The files of these regulations moved across many tables and many offices. I am told the real estate companies in India had a big role and influence on these regulations.

Yes, ultimately it is a ridiculous law that does not help anyone. It does not protect anything.


I hope, for the sake of their sanity and ours, that they won't one day look into how routing of Internet traffic works.


> I'd much rather store properly encrypted personal information or financial data in North Korea than storing it unencrypted in my home country.

You might feel comfortable with that as an individual, but geopolitically speaking, India would be giving North Korea a pretty bargaining chip by letting payment processors store their data there (if they were so inclined). Imagine the havoc that could be caused! By requiring data residency, it is instead India who gets a pretty bargaining chip against these huge multi-national corporations.


Governments care about financial data for a lot of legitimate reasons, including fraud, criminal activity, etc. Having the data local makes sending legal notices for data access easier and makes supervision easier. A country shouldn't rely on sending international data-access petitions to random data centers with possibly hostile governments who will fight them on jurisdiction and non-treaty grounds.

I think what they're doing makes sense.


The company does business in India. If they want to continue doing business in India, they will comply with lawful court orders of Indian courts (or whatever other lawful mechanisms exist in India). If they store their data on the Moon, they will have to comply in the exact same way. It changes literally nothing.


"Or am I missing something? "

Jurisdiction is huge thing, not a side show.

Data that sits overseas is subject to entirely different sets of laws which can conflict with local laws.

Those laws also relate to espionage, and even outside the framework of legality ... it matters as well.

It's a lot easier for the NSA to collect data on individuals if it's hosted in the US.

I have absolutely no doubt that financial, legal and health records should simply not leave the local legal jurisdiction without consent and a few more things.


Nothing in your comment invalidates these simple points:

1. If it's encrypted, it doesn't matter where it's stored.

2. If it's not encrypted, it can be easily stored in country X, processed in country X, but routed via SnoopHub in country Y. Country Y loves surveilling and is very happy about this state of affairs.

>I have absolutely no doubt that financial, legal and health records should simply not leave the local legal jurisdiction without consent and a few more things.

A very common attitude, usually held by people who "geographize" that which is not geographic in nature - the Internet.


1) Your assertion that 'the data would be encrypted' is false.

There's no reason to believe that Visa/MC would simply use 'America' as a based to host dumb, encrypted data which enters and leaves the the US fully opaque. That would be pointless. Visa/MS are using services hosted in the US which will process customer data.

2) Statement #2 is also false. There is no arbitrary way for the US to snoop on data that doesn't flow through the US. For a whole variety of reasons - legal, operational, technical, political, cost etc.. Surely it can be done in a limited way, but at a level nowhere near the domestic capability.

3) Finally, you're statement on "geographizing" is also false.

Data, encrypted or not - falls under legal jurisdiction of the 'nation / geography' it's in, and this has many significant consequences. It makes a corporation subject to local laws, regulations, liabilities etc..

The internet is very geographic in nature.


There's multiple reasons. Mostly: jurisdiction and protectionism.


Of course they also require full unencrypted access to the data. If the company doesn't surrender the keys to the server data, they can just switch the server off.


Also, All big company shows server expense from foreign country and move profit earned from India to abroad. This way some part of the profit stays in india.


> I'd much rather store properly encrypted personal information or financial data in North Korea

Ah, a fan of cold storage, are we.


> I'd much rather store properly encrypted personal information or financial data in North Korea than storing it unencrypted in my home country

That encryption is pointlesss. North Korea can just demand the key and decrypt your data (assuming the company has presence in that country). Very few services have true end to end encryption. Currently it's not even feasible for healthcare data (homomorphic encryption is not practical yet).


North Korea can demand what it wants. I'm not in North Korea.

For North Koreans, all encryption is indeed pointless if the goal is to hide it from the government, regardless of where they want to store data, for this very reason.

I can implement true end-to-end encryption in about 30 minutes (only because I gotta look up where I implemented it last). I will encrypt my data using well known and validated libraries, send it over to the cloud. Retrieve when I need it and decrypt it then. Not sure what about this is not feasible.


You are moving the goal posts. Of course simple data storage can be made secure, because you have the key. But the article is talking about financial data that is processed by companies. And you mentioned healthcare data, which would also be processed. The companies have the key and they can be forced to hand it over easily.

What use is end to end encryption for your healthcare data, if nobody except you can process that data? In that case, why don't you just put it on some external hard drive?


I think the point they are making hinges on the fact that the data just has to be _stored_ there. You can do the processing outside of India, so a company can store the encrypted data in India but process the decrypted data elsewhere.


All the tech people in this thread arguing how it makes no difference technically where the data resides etc etc. really guys can you not think further than that? It’s simple and obvious the Indian government is exercising total control over its affairs. Naming technical distinctions completely misses the point.

This is not a technical issue and has zero to do with tech. It’s political.


Data residency absolutely makes a difference, and I find it stunning that people don't see it.

Ok, so you decide to store your nation's sensitive data in another country, $nation. If things get awry, there is a (pretty remote) risk that $nation will break your encryption. But there's also a much less remote risk that $nation will simply block all connections from your country and prevent you from accessing your own data. How do you deal with such a threat?


Let us imagine a scenario where Mastercard holds EU or US citizens data in China or Russia and refuses to move it to EU/US.

If it is a bit hard to digest, perhaps one needs to extend the same respect to India's sovereignty.


Generally HN thinks highly of that, and will never visit the EU so they don't have to face punishments for GDPR violations


How real are these laws at all, by the way? Is it really a case when one company has to store their data separately and (inaccessible from other places). What do these laws enforce, networking-wise only?


FYI, American Express and Diners Club have already been banned from adding new customers in India due to the same thing.

https://www.reuters.com/article/india-banking-american-expre...


> the subscriptions are now required to be paid monthly by people

I have a bunch of subscriptions (App Store, JetBrains, AWS etc.,) which continue to seamlessly go through without me having to explicitly authorise each month.

I suspect there is a fine print/subtext to that subscriptions rule that isn't accessible to public.


Sorry, I deleted that part of the comment as it didn't apply to this topic at hand. Multiple companies have dropped subscription support in india or changed things due to the recent RBI rules around mandates.

https://gadgets.ndtv.com/apps/news/amazon-prime-membership-o...

https://help.ads.microsoft.com/#apex/ads/en/52003/3

EDIT: Another useful one: https://support.google.com/pay/india/answer/10710851?hl=en

It looks like existing subscriptions were grandfathered until Sept 30, which is why you haven't seen a change. But new accounts cannot use subscriptions until the company has properly implemented e-mandates.


You are right in that I haven’t seen any Indian merchants offer subscriptions anymore. And yes that e-mandate, I believe that UX is not ideal so there’s not much adoption. E-Mandates were launched as part of UPI 2.0 but there are hardly any merchant offering them. I wonder what’s holding them back besides bad UX.

But I have a gut feeling that international merchants are exempted from this rule. Because I can go to JetBrains even now and subscribe to their products.


Third paragraph from the bottom in the post you're literally commenting on :)


Let us not forget, rules were formulated in 2018. Planned to be implemented by Dec 2018. Companies kept requesting extension of deadline. Finally RBI had enough. They have been given substantial time. At this point, non-compliance simply means un-willingness. Whether for political or technical reason.

It is not a surprise-everyone move. Indian central bank is following consistent long term policy. I feel overall it is good.


I can't make out if these rules are specific to India. Doesn't the EU have the same data residency rules as well? Why are Mastercard and Amex struggling with this?


The Indian rule seems to require all data be stored strictly inside India, without any of it being stored outside the country. The EU permits data to be transferred outside the EU under a number of circumstances: e.g. if the other country has equivalent data protection laws, if the non-EU company you're transferring the data to has promised to abide by the EU rules, stuff like that. Take this with a grain of salt, of course, because I'm not a lawyer, but that's how I understand it.


Actually the European courts struck down Privacy Shield. So any company transferring data to the US is doing it illegally. Plenty of active lawsuits against google. But as much as HN likes to bash google, people here are pretty submissive when one is asking for advice on legal options against these companies.

https://www.bbc.com/news/technology-53418898


> people here are pretty submissive when one is asking for advice on legal options against these companies.

I think to be fair to the HN community on this topic, most of us are not lawyers and shouldn't be providing legal advice. And maybe more importantly, at least in the US, the most rational advice starts with step one being "have at least $500M in a legal fund", which precludes most people from being able to effectively execute a suit against Google.


As far as I know it's still possible to transfer data from the EU to the US under the GDPR if the companies involved have signed a ``standard contractual clause''[0] (the article says this was also a target of the Privacy Shield suit but the courts chose to continue to allow it).

[0] https://ec.europa.eu/info/law/law-topic/data-protection/inte...


Right, which Google[1], Amazon[2], and Microsoft[3] even offer to third parties on their cloud platforms. That ruling was mostly just a quibbling about the legal particulars, it didn’t change anything on the ground.

[1]: https://support.google.com/adspolicy/answer/10042247?hl=en [2]: https://aws.amazon.com/blogs/security/customer-update-aws-an... [3]: https://docs.microsoft.com/en-us/compliance/regulatory/offer...


Does Indian controlled AJK and Ladakh qualify as "inside India"?


Do they have control of the lands you mentioned at present? That's the only reality that counts to make it within the country.

Also, Ladakh is hardly a troubled area from within.


I can't imagine any servers being set up in AJK or Ladakh in the near future.


Indian controlled AJK is like two villages in Kargil.


I suspect this is more a case of “unwilling” rather than “unable”. Slightly related, China recently passed a similar law:https://www.ropesgray.com/en/newsroom/alerts/2021/July/China...


It's not a non issue either. Several countries already use different systems that do not depend on US credit card companies anymore. Not because it is banned, but because it obviously is a suboptimal solution.


Data from Indian transactions should be stored and ideally even processed in India. This seems fair and reasonable to me.


What makes it fair and reasonable and does whatever rationale you use here not open up the door to further nativism?

I mean if it is fair and reasonable that Indian transactions should be stored and processed in India, is it not also fair and reasonable that goods sold in India should be made in India, that movies that show in India should be made in India, that all news consumed in India should be written in India?

I get these are not the same, but what is the real difference here? Where does it become unreasonable in my examples and why?


There is not a single country in the world where largest bank is not a bank based in that country. Like money, data is something sovereign nations want to control.

EU, China and India all have areas where they want US based firms to store data in a specific way. This isn't changing anytime soon.


BCR and BRD, the largest Romanian banks, are owned by Austria and France.

I'd be shocked if most big banks in Eastern Europe are owned locally.

The opposite of what you're saying is true for almost every average or small country, economically.


There is a huge difference to your other examples. The US does not actually have a good track record with protecting their customers with proper privacy laws.


I'm not sure what that has to do with this. There could be laws requiring that the data be kept secure and private without specifying that it has to be kept in a certain location.

Besides which, India doesn't have a good track record of protecting privacy either.


True, but if it's not hosted under your own control it basically is fully out of your control. Doesn't the US gov / the 3 letter agencies basically have access to everything hosted within the US?

Sure there are other ways, but India seems to like to go for the most radical solutions at times


They also seem to have access to everything that goes through the submarine cables near their shores.

So data is spied on just by being routed near them, it is not needed for them to be the destination.


US having access to indian date has limited impact on india while Indian govt having same data have major impact on india


I don't disagree. It is dystopian, but so is a single country having access to the majority of the world's transactions.


> is it not also fair and reasonable that goods sold in India should be made in India, that movies that show in India should be made in India, that all news consumed in India should be written in India?

Of course, thats what every country wants, and they develop policies that give tax breaks or concessions to local businesses. That's why tariffs were enacted.

I'm sorry, I don't really get your point, maybe you can restate it?


It was a question as evidenced by the question marks.

Your answer, as far as I can discern, is that it "Of course" it is "fair and reasonable that goods sold in India should be made in India, that movies that show in India should be made in India, that all news consumed in India should be written in India."

That's all there is to it, question asked, and answered.


You think it is fair for companies to be required to run servers in every country they operate in? That seems pretty wasteful and inefficient to me.


It's a billion person country.

It might not make sense for every country to demand things like this, but that doesn't mean it doesn't make sense for giant countries too, and it doesn't make it inefficient.

At India's scale costs are already amortized anyways, but worse, consider India's physical location. It's surrounded by hostile nations (Myanmar, China, Pakistan, make a wall around it). To get data out of the country you're talking about moving it through hostile territory, or moving it through vulnerable subsea cables. Not only is the bandwidth probably more wasteful than the extra compute needed to spin up another set of servers to serve the billion people in India, but the network cannot be relied on to keep working during any sort of crisis.

Luxembourg or whatever demanding all data processing happening internally would be meaningfully different. It's less than a million people to amortize over instead of more than a billion. It's next door to allies which the data could reasonably be stored and processed in, instead of isolated. But we're not talking about whether or not Luxembourg should demand this, we're talking about whether or not India should.


Afaik, Myanmar is not a hostile country. Neither the elected government nor the military dictatorship has animosity at the state level.


China and India are not friends. China needs Myanmar because it would allow it to transfer its goods faster and cheaper: no need to go around through Strait of Malacca.

If pro-China government is installed in Myanmar it means that it automatically becomes hostile to India.

Controlling trade routes explains many wars and coups.


To be honest I know next to nothing about Myanmar<->India relations. Everyone has been suggesting that the new Myanmar government is closely related to China, so I was substituting in the China<->India relations.


Right now yes. However any neighboring country with a recent coup doesn't fill you with confidence.


Data can also move by satellite.


Someone can correct me if I'm wrong, but I don't believe there is meaningful amounts of bandwidth available via satellite today. Even something like starlink today is just a bent pipe from ground station to ground station (and is super recent).

Whatever bandwidth is available would undoubtedly be quickly consumed if the land lines were cut...


Nowhere near enough.


We require businesses to register themselves, to file taxes in every country, etc, etc. We don't have global governments, and supervision of local financial data for fraud/criminal activity should be done locally. It sounds to me like its more efficient compared to the alternative.


If it was wasteful, then there would be no CDNs like Akamai and Cloudflare.

And Netflix would not have data centers in virtually every ISP in the world.

Ohh poor Netflix, the bandwidth costs are so unfair to them!


Mastercard isn't Netflix. The amount of bandwidth is likely orders of magnitude less.


Why does it matter where the data is located?


It matters which jurisdiction can order the data to be decrypted.


There are 196 countries in the world.


It is really interesting that there's even a debate over this. US and EU have long had similar policies in the name of "national interest" or "protecting the consumers", but if other countries have similar policies, it suddenly becomes a negative thing.

I think the hard reality of it is data needs to be localized, to ensure companies comply with local laws. Every country has independent authority on how they want to run things, and whether it turns out to be good or bad, companies need to follow them.


It would have been okay if the country had a good privacy protection law. And a not-so-broken justice system. The legal system wears you out starting right from the troubles of filing a police report (when needed). Having worked with the govt, they are pretty lame on security and high on convoluted regulations and harassment. The rules are applied selectively. As a fact, the govt (unintentionally) leaks the citizen's data and then they absolutely deny and cover up stuff. And there is zero accountability. Their departments regularly access stuff without proper authorisation and then store/move it insecurely elsewhere.


But data localization means the data is in a specific country, but the ownership still remains with the company. And I understand that the judicial systems can be flawed in different countries, but as a company, if you want to do business in a country, you still need to follow the law.

To give you an example, companies operate in China, despite not having great labor laws or environmental protection laws, or the threat of facing the govt.'s wrath any moment. That's because they want to do business in that country. It's the same with any company or country.


I find it interesting that the card companies are concerned storing the data in India could allow the government access to it when the data apparently currently resides in the US. Either they're doing something with the data in the US that prevents the US from accessing it the way India could or they're just accepting the US being able to access it as a given and don't see why Indian customers wouldn't want that.


The regulations on this has been in play for a while - I remember discussions in fall 2019 on this on asks by indian regulators to all multinational banks, payment processors, etc. The push to segregate local data within national boundaries needs to be addressed soon. Local data meaning transactions between 2 parties within the same country


There has been alot of innovation in digital payments in India over the last 10 years. There are a number of local alternatives to traditional card brands. This might be a combination of protectionism to support local payment alternatives, and international card network unwillingness to invest in India given declining market share.


we have known for some time since well before the Tiktok ban in the US, that the world wide web was heading to the fractured web.

It started with china. The moment the world accepted their firewall conditions, it was the moment that we said we are OK with letting you earn the benefits of the web, without the cost of openness.

Open countries could set a marker on this issue. Either you are open or your are not. And if you aren't , you will be dooned to rot in your protectionist web.

We didnt set the marker, so here we are.


I argue that Snowden's disclosure accelerated the trends.


Is this hard to implement for MasterCard?

Otherwise, it seems reasonable to me, but I'm not that knowledgeable in this area.


Yes, it is. You either need to entirely fork your operation to have it operate entirely within India, or be extremely careful with how you store your data, and store the data only in India, but process it in other data centers without ever having it touched disk. Which I believed means you can never even log the data.


The rule[0] says that you can process the data abroad, including storing it on disk temporarily for purposes of processing, as long as it is deleted within 24 hours. So it's not quite as strict as requiring it be kept in memory the whole time without ever writing to disk, but it does sound like you probably couldn't keep detailed logs.

[0] https://rbi.org.in/CommonPerson/english/Scripts/FAQs.aspx?Id...


> but it does sound like you probably couldn't keep detailed logs.

Or backups.


Backups for India can be kept in India. It is a big country.


The original RBI circular was in 2018[1] with a audit date set for December 2018. That wasn't met as most companies requested for an extension, which the RBI gave multiple times.

So yes, it is difficult - but it has been years since MasterCard knew about this.

[1]: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=1124...


As difficult as this will be to implement, I suspect it will be a boon for the Indian IT industry. I suspect MasterCard and others will comply with the new law in due time simply because the Indian market is so vast and full of revenue potential.


How long do you think it will take to do it?


The physical hosting while not trivial is not a big challenge. They need to find a reliable hosting provider in India and there are many.

Where it gets really hairy is routing. Example - handling payments of Indian international travellers; or card details entered on websites that are hosted outside of India.

I worked on a similar project but 1/10th of scale and even then it was extremely tricky to cover all the edge cases.


Banking is highly regulated, AFAIK the government even gets to audit you server deployment and security measures.

Nothing but yet another American company that would like India to behave like a colony.


This is just a few thoughts I came up with while reading this, they might not be completely accurate and are probably very sloppy but here goes...

In the grand scheme of things these news are kind of interesting to read. I see multiple ways to characterise these events but it's a bit tough to because the only words I'm able to use kind of project a moral judgement onto the sides which I do not intend to make because history will have to be the judge of that. Needless to say, though, that I assume extreme selfishness from all sides as a given.

With that said, you could say that this a fight between: - freedom and authoritarianism /banning things -or- giving people the freedom to trade by allowing foreign companies to pave the way/, - globalism and nationalism /promoting the interests of the local government -vs- a foreign one/ - or simply a battle of political interests.

Probably a strange mix of all of the above, in reality.. I have a hard time figuring out who to root for, though, as these western multi-nationals can act pretty maliciously, too. And so do governments that turn authoritarian. I'd kinda prefer neither with the freedoms of all myself, but I am being unrealistic, sadly.


I am with mastercard on this one. Either they were asked to pay bribe and refused, which is good, or they genuinely care about their customers. In corrupt countries, such as India, politicians and local law “enforcement” love to get their hands in the pockets of honest and hard working people. And what easier way is there than having a card that provides details of the money you have in your pocket.


India has better financial system than USA/Europe. so they are not afraid to kick the monsters out of the country. Next is Visa


So, the reason is that the entirety of the customer data must be stored locally in India, rather than on a server located elsewhere[0]? Does anyone know why the rule in India is so much stricter than the equivalent GDPR rule[1], which allows transfer of data outside the EU in various circumstances (basically if it's assured that it won't lead to the data being subject to much laxer standards of protection)?

According to the article, the banks are saying the reason it's much stricter than the equivalent EU data residency requirements is to ensure the Indian government can spy on customer data. Is there a more reasonable, less malicious reason they may have written the requirements this way?

[0] https://rbi.org.in/CommonPerson/english/Scripts/FAQs.aspx?Id...

[1] https://gdpr.eu/article-44-transfer-of-personal-data/


If I was running a large country, I'd want transactions to be entirely local for national security reasons. Generally, in the event of a world war, I wouldn't want it to be trivial for other countries to remotely cut off my whole economy.


From the text of the rule:

> There is no bar on processing of payment transactions outside India if so desired by the PSOs. However, the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data.

So this only applies to the customer data, not the actual systems that do the transaction processing and verification. The systems that actually do the work could still be cut off from India, leaving them with nothing but a database of customer transactions.


How about just avoiding wars? Global interdependence of countries is beneficial for this reason. Also, India's military is no match for and unlikely to have any reason to fight the external countries where MasterCard's data is likely to be stored (US, UK, etc).


> How about just avoiding wars?

Countries simply do not have the unilateral ability to avoid wars.


The easiest way to prevent war is to make it uneconomical -- like it was in the past. War should bankrupt a country. Years long fighting like we saw in the 20th century is a product of loose monetary policy.

When a country can print itself out of debt (or more accurately, kick the can down the road for the next generation), war is inevitable. If we remove the ability to do this, a prolonged war becomes far less likely.


But, again, that's not something a country can unilaterally control.

If a nation's neighbors have the capability to fight a years long war, but that same war would bankrupt the nation, then the

The game theory of the situation (again, from an individual nation's perspective) means no one nation will "remove the ability to do this" unless there's a massive collective action.


Have you heard about the 100, 70 and 30 years wars? The massive death toll and destruction in the world wars was largely a result of much more effective military technology. There was simply no way to kill as much people and destroy as much property in such a short time frame in any preceding wars.

And I don't really see what a loose monetary policy could have anything to do with this. Before the 20th century countries rarely had the means to mobilize their economies by directing most of the output to the war effort, they had no capacity to enforce this and in any case there wasn't enough surplus produced to a wage total war without everyone starving to death and/or the central government collapsing.


I am advocating hard monetary policy (ala a gold standard, a bitcoin standard) as a method for disincentivizing war.

When you cannot replace the capital spent on war via inflation, war is less likely to occur. I acknowledge this is a fringe philosophy, but time will tell.


> but time will tell

Well the gold (or silver) standard had been a thing for thousands of years and I don't think there is much empirical evidence to suggest that a country's inability to control it's monetary policy somehow inherently disincentivizes it's government from waging wars.

Talking about inflation specifically, there was relatively little of it during both WW1 and WW2 since all countries implemented price controls and rationing and pretty much nationalized all the available production capacity.


There was the debasement of the currency of the Roman Empire, which lead to its failure. This was done for reasons of waging war.

I am arguing that if you remove the ability for a state to create money (or at least debase it), it removes the ability for it to wage war. Continuous war requires continuous capital to wage. If this continuity is ended, wars end.


Then you're arguing for abolishing the state in general. Because otherwise individuals would have no way of preventing the state from either taking away their non-inflationary money/coins or banning which would result in significant reduction it's value.

> There was the debasement of the currency of the Roman Empire, War was the reason why Roman empire existed in the first place. In fact some argue that the Roman economy was only sustainable as long as Rome continued conquering new lands, enslaving their populations and taking away their property. As soon as the empire stopped expanding they were long able to maintain their army. Arguably, without debasement the collapse might have happened sooner they would have ran out of gold to pay their soldiers anyway.


Prior to the revolution of 1789 the French state was pretty much in a permanent state of bankruptcy for the past several hundreds of years (and unlike the Romans they couldn't really debase their currency). Did that prevent them from waging wars?


Not the state in general, just the ability to create money. The state can still raise funds via taxation, but they need to be more careful in how it is spent, as it cannot be magic'd into existence.


And how would you enforce this if the state continues to have the monopoly on violence? Who would prevent it from banning doing the same thing Roosevelt did in 1933 (banning the private ownership of gold) (of course for crypto currencies they would ban the usage and ownership) or suspending the free market itself like in 1941?


And that is what is so wonderful about Satoshis great invention. The state has far less power over Mathematics, Cryptography and Game Theory.

A gun is useless against ECDSA. A government cannot stop a person holding, saving, spending or transacting in bitcoin. As long as there is a channel, anywhere in the universe that allows submission of valid, signed transactions to peers, the state cannot stop it.


Sure it can, it can just ban crypto currencies and start fining all businesses which accept them and/or allow exchanging them for fiat currencies. While technically people still be able to transfer them I'm not sure how useful that would be in practical terms.


Countries rarely go to war with countries that they don't share borders with. For India, that's China, Bhutan, Nepal, Pakistan, Afghanistan, Bangladesh and Myanmar. Making sure that MasterCard does not store their transaction data in any of those countries should be sufficient.


There are many rare events that a country would still want to protect itself against.

"Should be sufficient" and "Will be sufficient" are different enough to cause anxiety for people who have to safeguard against those kinds of outcomes.


In the case of MasterCard that might be true, but the law applies generally. It's not inconceivable that another piece of critical infrastructure could be provided by a country who has a data center in a more likely adversary, say, China. In general, the Indian approach is not to whitelist everything and then blacklist whatever specific exceptions become necessary, but the reverse.

As for avoiding war: sure, but how should we conduct things until utopia arrives?


>How about just avoiding wars?

that's a silly remark. are you suggesting that countries can simply avoid wars and accept the consequences just because some credit cards will stop working ?

edit: formatting


Yes, if they believe that the cost of waging the war would outweigh anything that they might gain even if they win it. Why would any two countries wage a war against each other if their governments knew that both countries economies (and most of their capacity to produce military material) would immediately collapse?


The GDPR didn’t give a 6 month timeline.

And GDPR had a long transparent process that in addition to the official implementation time, gave companies a lot of time to see what sort of rules they would likely be working under even before it was approved.

The worst government since liberalization, however, makes capricious rules, without input or deliberations, drops them on the world like they are a JayZ album, and then gives atrocious timelines for compliance.

More often than not they will then backtrack on those rules once enough time has passed so people will forget how atrocious those rules are (like during COVID), or in some cases (such as demonetization), they will double down never mind the generational economic damage and direct death toll.


>>> The GDPR didn’t give a 6 month timeline.

This ruling came out in 2018 and they were given an extension until now, 3 years is sufficient enough to implement most things


This applies to a critical infrastructure one of national security.

GDPR is about privacy.


I don't see the problem. When in Rome...

It will create job in India. The government doesn't allow multinational companies to get away with having all the market access and data control while evading taxes.


Netbanking and UPI is so popular here. I last used debit card about 3 years ago.

I do not think its not even concern if MC is entirely banned


India’s been on a tear lately, first sci-hub, then Twitter now this… seems they’re growing up.


The South Asian market’s central bank said the new restrictions will go into effect on July 22


Same thing happened to Amex


What are/was the effects of GDPR in EU? Also, did it lead to a huge increase in the spendings for MasterCard?


I'd imagine a bigger loss for MasterCard was the EU capping their interchange fees to 0.3% with a regulation in 2015. "At present, credit card interchange fees in the UK are typically around 0.85% per transaction" (https://www.theguardian.com/money/2015/jul/27/cap-on-card-fe...). After Brexit MasterCard will increase it to 1.5% (https://www.theguardian.com/money/2021/jan/25/mastercard-to-...) Loosing out on 0.55% fee on every transaction is significant at MasterCard's scale.


I agree that will have a bigger effect, and boo Brexit. But it's actually only transactions on EU shops by UK cards that face higher fees, which is a really small percentage of purchases. Definitely not every transaction.

I'm sure they'll raise the other fees later though. Probably just dipping their toes.


Even more reason to accelerate instant payment system rollouts to avoid private payment systems that charge interchange fees.


What instant payment systems? Are there actually viable competitors to Visa/MasterCard?



It is good to see India growing as a world power as the largest democracy in the world.


They have been "growing" and "becoming" the next world leader for a while now.

Anyone who have lived in india long enough will tell you how far from the truth this is.

The only Stick India has, besides their nuclear arsenal, is the size of their domestic market (aka population). I dont think the purchasing power of their domestic market is that lucrative compare to actual superpowers (Economic or Military). Buy just large enough for International companies to bother to invest.

The whole political platform for Modi is religious fanaticism, nationalosm and jingoism. Any sane, rational Indian leader would not be so Anti international investment. (I am not only talking about the incident mentioned in this article, but generally speaking).

If you can look past the billionaires and the prosperous cities of India (however few), it eirily feels like the whole country is for most part still stuck in the 80s.

Most people tout india as the largest democracy with diverse relious population. The reality on the ground could not have been farther from truth.

In reality the country feels like its always in the state of experiment by their political leaders, competing with each other to find the best way to fuck things up without actually blowing up the country. Yet.


To be fair, there was a strong bull case to be made for India till the early 2010s, especially in how well it recovered from the financial crisis.

The problem is that Modi has brought an insane blend of pre liberalization economic policy, centralized authoritarian control, and british inspired religion based divide and conquer policies that have set India back a couple of generations at least, possibly permanently if he remains in power and continues down this path.


> Any sane, rational Indian leader would not be so Anti international investment. (I am not only talking about the incident mentioned in this article, but generally speaking).

FDI has actually increased since Modi became the PM and he was been actively courting foreign companies. I don't understand how he is "Anti international investment".


Yeah Modi is pretty anti international investment, just look here since he got into power FDI has dropped in India by almost -100% https://www.macrotrends.net/countries/IND/india/foreign-dire...

Also all the PLI schemes for companies are pretty anti international investment, so companies from Samsung to Apple are all investing big.


There are a lot of factors involved with all of that. I would argue that what has happened is that Modi's policies, even ones that might seem reasonable at the start like reforming the currency, have as executed ended up creating enormous difficulties for business in India and that investment has dropped primarily as a result of Indian business struggling amid their current circumstances.


Demonetization in 2016 turned out to be a horrible move, that backfired a bit, although I supported it when it came out.

GST implementation has been quite successful, FDI has increased since Modi came to power. The pandemic, of course, has been pretty bad, with the GDP contracting 8% in 2020.


FDI in India was $35 Billion when Modi came to power, and is >$50 Billion today. Are you being sarcastic?


Obviously: 'dropped by -100%' means 'increased by 100%'. Looks like you missed the minus sign.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: