Asia Just Does Not Get PCI

Friday, September 03, 2010

PCI Guru


I recently spent two weeks in Asia and I have to say, from a PCI compliance perspective, Asia just does not get it.

I was doing my expense report, going through my receipts and converting them to US dollars and I could not get over the fact that almost every one of the credit card receipts had the full PAN on them along with my name and the expiration date. 

As a result, I do not understand why hackers in China and other Asian countries are trying to hack banks and merchants when there is a wealth of credit card data sitting on almost every credit card receipt generated in their own back yard.  Given what I saw while there, I am guessing that paper recycling centers and dumps would provide more credit card numbers than their hacking activities.

Asia is an interesting environment from a credit card perspective.  In most cases there are only one or a very limited number of acquiring banks in a country.  Acquiring banks mandate the use of their terminal.  So, if you wish to accept credit cards for payment, you use your acquiring bank’s supplied terminal. 

If you want integrated POS, the acquiring bank either supports only certain POS solutions or they work with you and your POS solution vendor to provide you an interface to their terminal.  So, if you are a merchant in Asia, you are not going to get a lot of options for your credit card terminals and how they operate.

As an example of what it is like in Asia, the client I was working with actually had to fight with their acquiring bank to get them to fix their credit card terminals so that they did not print the full PAN on their receipts.  This client had to repeatedly argue with the bank to get the software in their terminals fixed so that the PAN was masked. 

So, with the fix created, implemented and working, one would think that the acquiring bank would have rolled out this change to all their merchants.  Yet you would be wrong.  I saw the same terminals from this acquiring bank throughout my travels and they all printed the full PAN on their receipts.  So much for security.

And it is a large portion of Asia, not just China.  From the experience of my own travels and those of my business compatriots, this problem is in Taiwan, South Korea and Japan.  Only in Singapore did I see receipts with masked PANs most of the time.  There was an occasional receipt with a full PAN, but that was rare and usually with a very small merchant.

In questioning this situation, the rationale given is that credit cards have not penetrated Asian society yet.  While this is very true with China, Vietnam and Thailand, this does not make sense for Taiwan, Japan and South Korea where credit card usage and penetration are very high. 

So, the only real reason this can be going on is that fraud due to taking PANs off of receipts is not a problem – yet.  Given the time it would take to fix every terminal in Asia, if I were an acquiring bank, I would be moving quickly to fix this issue before it becomes the major problem it will likely develop into.

Oh, and for the curious, since my company requires us to scan our receipts, I “erased” the PAN to the last four digits in a photo editing application before submitting them with my expense report.

Cross-posted from PCI Guru

Possibly Related Articles:
Post Rating I Like this!
Ray Tan Yeah,this is a big problem.
You can get the signature and PAN easily by getting the credit card receipts, the necessary information for fraud.
The banks are trying to fix it, however, I guess it should be fixed as soon as possible.
PCI Guru I would like to agree with you that the banks are in the process of fixing it. But that is not the case based on my interactions with a number of large banks in Asia. They really do not want to discuss changes and PCI. It's as though they hope it will all go away. Card fraud is low in Asia because credit cards are few, except for tourists. However, as card use becomes more common, fraud will follow. One would think they would want to get ahead of the curve rather than behind it.
Ray Tan Those young man around me always have more than 2 credit cards indeed, the biggest problem we are facing is the abuse our privacy and sensitive information. As you know, when we apply for credit cards, open bank/stock account, and now SIM card, they always need our ID and other information, some of those service provider will sell our information to the third party and benefit from it.
PCI Guru As a percentage of the population, credit cards are held by less than 7% of the population in China based on the last statistics I saw. Japan, South Korea and Taiwan lead but are still only in the high 30%, low 40% range. While cash is king in Asia, that is rapidly changing as you point out. And as that changes, fraud will rise with it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.