I recently spent two weeks in Asia and I have to say, from a PCI compliance perspective, Asia just does not get it.
I was doing my expense report, going through my receipts and converting them to US dollars and I could not get over the fact that almost every one of the credit card receipts had the full PAN on them along with my name and the expiration date.
As a result, I do not understand why hackers in China and other Asian countries are trying to hack banks and merchants when there is a wealth of credit card data sitting on almost every credit card receipt generated in their own back yard. Given what I saw while there, I am guessing that paper recycling centers and dumps would provide more credit card numbers than their hacking activities.
Asia is an interesting environment from a credit card perspective. In most cases there are only one or a very limited number of acquiring banks in a country. Acquiring banks mandate the use of their terminal. So, if you wish to accept credit cards for payment, you use your acquiring bank’s supplied terminal.
If you want integrated POS, the acquiring bank either supports only certain POS solutions or they work with you and your POS solution vendor to provide you an interface to their terminal. So, if you are a merchant in Asia, you are not going to get a lot of options for your credit card terminals and how they operate.
As an example of what it is like in Asia, the client I was working with actually had to fight with their acquiring bank to get them to fix their credit card terminals so that they did not print the full PAN on their receipts. This client had to repeatedly argue with the bank to get the software in their terminals fixed so that the PAN was masked.
So, with the fix created, implemented and working, one would think that the acquiring bank would have rolled out this change to all their merchants. Yet you would be wrong. I saw the same terminals from this acquiring bank throughout my travels and they all printed the full PAN on their receipts. So much for security.
And it is a large portion of Asia, not just China. From the experience of my own travels and those of my business compatriots, this problem is in Taiwan, South Korea and Japan. Only in Singapore did I see receipts with masked PANs most of the time. There was an occasional receipt with a full PAN, but that was rare and usually with a very small merchant.
In questioning this situation, the rationale given is that credit cards have not penetrated Asian society yet. While this is very true with China, Vietnam and Thailand, this does not make sense for Taiwan, Japan and South Korea where credit card usage and penetration are very high.
So, the only real reason this can be going on is that fraud due to taking PANs off of receipts is not a problem – yet. Given the time it would take to fix every terminal in Asia, if I were an acquiring bank, I would be moving quickly to fix this issue before it becomes the major problem it will likely develop into.
Oh, and for the curious, since my company requires us to scan our receipts, I “erased” the PAN to the last four digits in a photo editing application before submitting them with my expense report.
Cross-posted from PCI Guru