08
Aug
10

Asia Just Does Not Get PCI

I recently spent two weeks in Asia and I have to say, from a PCI compliance perspective, Asia just does not get it.

I was doing my expense report, going through my receipts and converting them to US dollars and I could not get over the fact that almost every one of the credit card receipts had the full PAN on them along with my name and the expiration date.  As a result, I do not understand why hackers in China and other Asian countries are trying to hack banks and merchants when there is a wealth of credit card data sitting on almost every credit card receipt generated in their own back yard.  Given what I saw while there, I am guessing that paper recycling centers and dumps would provide more credit card numbers than their hacking activities.

Asia is an interesting environment from a credit card perspective.  In most cases there are only one or a very limited number of acquiring banks in a country.  Acquiring banks mandate the use of their terminal.  So, if you wish to accept credit cards for payment, you use your acquiring bank’s supplied terminal.  If you want integrated POS, the acquiring bank either supports only certain POS solutions or they work with you and your POS solution vendor to provide you an interface to their terminal.  So, if you are a merchant in Asia, you are not going to get a lot of options for your credit card terminals and how they operate.

As an example of what it is like in Asia, the client I was working with actually had to fight with their acquiring bank to get them to fix their credit card terminals so that they did not print the full PAN on their receipts.  This client had to repeatedly argue with the bank to get the software in their terminals fixed so that the PAN was masked.  So, with the fix created, implemented and working, one would think that the acquiring bank would have rolled out this change to all their merchants.  Yet you would be wrong.  I saw the same terminals from this acquiring bank throughout my travels and they all printed the full PAN on their receipts.  So much for security.

And it is a large portion of Asia, not just China.  From the experience of my own travels and those of my business compatriots, this problem is in Taiwan, South Korea and Japan.  Only in Singapore did I see receipts with masked PANs most of the time.  There was an occasional receipt with a full PAN, but that was rare and usually with a very small merchant.

In questioning this situation, the rationale given is that credit cards have not penetrated Asian society yet.  While this is very true with China, Vietnam and Thailand, this does not make sense for Taiwan, Japan and South Korea where credit card usage and penetration are very high.  So, the only real reason this can be going on is that fraud due to taking PANs off of receipts is not a problem – yet.  Given the time it would take to fix every terminal in Asia, if I were an acquiring bank, I would be moving quickly to fix this issue before it becomes the major problem it will likely develop into.

Oh, and for the curious, since my company requires us to scan our receipts, I “erased” the PAN to the last four digits in a photo editing application before submitting them with my expense report.

About these ads

7 Responses to “Asia Just Does Not Get PCI”


  1. 1 David Griffiths
    August 12, 2010 at 2:22 AM

    Once again, the Guru misses the point completely, and chooses to ignore the impact of EMV. I think he has said previously, something along the lines of he is not an EMV expert and so he ignores it. I paraphrase slightly, but you get the drift.

    Crims in this region don’t go after credit card receipts as they are not living in the payments third world that is the US! The numbers on the credit card slips are useless, but then you guys choose not to understand this. Oh, sorry, the numbers on the credit card slips are useless, unless they belong to a US-issued card!

    The Asia Pacific Smart Card association estimated that there were in the region of 50 million EMV cards in Japan, and 81 million across the whole of the Asia Pacific region – in 2006!!!

    I am actually surprised that they let you transact with old technology, there are a growing number of yankee Doodle tourists having their magstripe cards refused around Europe, because they don’t look real and they represent a bad risk for the merchant.

    Do you not think that if there was a problem with the receipts, and Asia-based crims are pretty bright, that they wouldn’t be exploiting the weakness? Or do you think that you are the only bright person around?

    Same old story eh?

    • 2 T. Anne
      August 12, 2010 at 8:00 AM

      FYI – the PCI Guru is not the one that said he was no EMV expert, that was me. And I didn’t say I ignore it as a result, simply that I do not truly understand all the pros or cons.

      • 3 David Griffiths
        August 12, 2010 at 9:20 AM

        Apologies for that – my mistake.

        I did read PCI Guru’s paper on EMV, though, and couldn’t find an an ounce of substance in it, so I guess the sentiment is true even if the facts aren’t.

        To you T.Anne: if one doesn’t truly understand all the pros and cons of EMV, how can one form a valid opinion of its relative merits when compared to PCI?

        All things considered, he is still missing the point.

      • 4 T. Anne
        August 13, 2010 at 10:07 AM

        Can’t anyone form an opinion regardless of their understanding of the topic? And regardless of who agrees with it – is it not still valid to the person it belongs to?

        In it’s nature, an opinion is just an opinion – it can be a professional judgment (keyword being judgment – and not certainty), and it can also be the belief/judgement that comes as a result of insufficient details… either way, they’re not facts – they’re the personal view of the person holding them.

        Just as your opinions of why EMV is the perfect answer and negates the need for the PCI DSS, my opinions on why the PCI DSS is still needed are just that… our opinions, neither is more valid than the other. Both are based off of different understandings and view points – but both are still valid opinions.

        On a side note – I did read an interesting article from Tripwire today. It is not about Asia as this post is, but about the UK and the PCI DSS. I was surprise to see that 58% of level 1 merchants are already compliant, but then it drops drastically and oddly enough level twos are the lowest (4% level 2s, 8% level 3s, and 6% level 4s). However more interesting was that level 1s and 2s don’t think their security currently goes above and beyond the PCI requirements, yet 12% levels 3s and 16% of level 4s do… While I know it doesn’t talk about Asia, I do believe it touches on the fact that people are realizing the value of it. With 88% of the organizations having senior management on the PCI team, and 77% having no difficulting getting the funding and resources to ensure the requirements are met – I think that says a lot. The article does breifly identify a disconnect between the opinions of senior management and the IT professionals themselves… however, I believe it supports the opinion that the PCI DSS provides added, necessary security.

        If any one wants to read the article it can be found here: http://viewer.bitpipe.com/viewer/viewDocument.do?accessId=12841671

    • August 13, 2010 at 11:28 AM

      David,

      I really get the impression that you are on an EMV crusade and PCI is nothing more that a false prophet that impedes your crusade to show that EMV is the true light and the only path to security. I’ve been in the payments industry for 20+ years, well before either PCI or EMV. From my experience, PCI and EMV can work together; they are not diametrically opposed to each other. Yes, areas of PCI are bloated and I feel overstep their bounds but on the other hand, EMV is a lot more complex than it need to be — at least from the integration POS integration perspective. From my perspective (application integration and payment processing), due to the three legged stool design, EMV is a development and support nightmare. Also, as I’ve said before, EMV does not address card not present — that apparently is someone else’s problem (maybe PCI?).

      PCI is not the enemy of EMV. Besides, this is the “PCI Guru” blog so I would think the focus would be PCI, not EMV.

  2. August 9, 2010 at 8:42 AM

    Jeff,

    A very true situation which I am unfortunately forced to agree with. Our region still has a long way to go.

    I hope you don’t mind if I quote your article in my own blog with some local commentary on the subject:

    http://askmarkchan.blogspot.com/2010/08/jeff-hall-says-asia-doesnt-get-pci-i.html

    Thankyou for continuing to share your thoughts for all.

    Mark.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

August 2010
M T W T F S S
« Jul   Sep »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,031 other followers


Follow

Get every new post delivered to your Inbox.

Join 1,031 other followers

%d bloggers like this: