Should consumers be prohibited from storing card data on the internet?

In March 2020, the Reserve Bank of India’s guidelines on Payment Aggregators and Payment Gateways prohibited merchants from storing data on cards used by customers. This paper argues that such a prohibition on card data storage impacts upon the ease of transactions for consumers, and effectively tilts consumer preference towards other payment instruments. This runs the risk of technological choices in the industry being made or substantially shaped by the regulator. The documents released lack a cost-benefit analysis of this prohibition and do not demonstrate that the chosen intervention is the best one. This raises concerns in the light of emerging Indian jurisprudence on the standards of regulatory governance to be met by statutory regulatory agencies. We show alternative approaches to address concerns relating to breaches of card information stored by consumers on the internet. These include better security standards, tokenisation, and liability frameworks.