Asia, stop ignoring PCI compliance and take data security seriously

Is Asia as a region well-prepared to combat the threat of data breaches? Short Answer: No.

This much is evident when you look at some simple facts, like how only 23 out of 346 of the certified QSA companies service the Asia Pacific region, or how many credit card receipts in Asia are still printed with the full customer’s PAN.

It comes as no surprise that when Asian companies are hit by data breaches, they are hit hard; In this study, 40% of the Asian companies surveyed reported significant losses from having suffered data breaches in the past. South Korea alone accounted for four of the five top breaches worldwide and a total loss of 158 million records in the first quarter of 2014.

Just this month, 16 suspects were arrested in South Korea on charges of illegally distributing the personal records of 27 million online game players. The ringleader made off with roughly $390,000 from selling the data he stole.

So why aren’t enough companies in Asia taking the looming threat of data breaches seriously? It could have something to do with the fact that only 7% of the data breaches which occurred in Q1 of 2014 came from the Asian region, dwarfed by the American region’s sizeable chunk of the data breach pie with 78%. Most of the high profile cases we read about in the news take place in America or Europe, sporting brand names we recognise. For too many companies in Asia, data breaches feel like a distant problem, and safeguarding data figures low on their priority lists; staying true to the Chinese idiom ‘勤俭办企业(Qín jiǎn bàn qǐ yè)’, encompassing the belief that businesses must be run diligently and thriftily.

This is a very dangerous mindset given history has shown that hackers always start with low-hanging fruit – Verizon reported that in 2012, 76% of data compromises they studied were achieved using low difficulty attack methods, which include password guessing and the like. If Asia lags too far behind the rest of the world in data security measures, the global cyber criminal community will turn its attention to Asian companies more voraciously, and for many, counter-action will come too late.

On the same note, PCI Guru wrote this excellent post 4 years ago, which is sadly still relevant today, talking about how Asia is backward in its view of credit card data security. In the article he lamented how an Asian business actually had to fight with the bank for the right to mask their customer PANs printed from POS machines.

It’s not all bad news for Asia, though- the region still trumps the US in terms of EMV adoption, having implemented the standard since 2004, while the major credit card brands have only recently pushed forward their EMV migration plans for the US.

In a positive light however, a large data communications company, Pacnet, announced their achievement of PCI DSS 2.0 certification across their Asia Pacific regional offices, a certification not often seen in the region. Interestingly enough, even after much digging there was no similar news available online, aside from the same few public announcements.

Of course, it is entirely possible that other companies are simply not advertising their PCI DSS compliance, to which we ask- why not? It’s a great way to let customers know you’re committed to making data security a business focus, without being specific about what your defenses are.

In just a matter of months, though, PCI Compliance will be more strictly enforced than ever before. Failure to comply with PCI standards will result in recurring non-compliance fines being incurred. That’s assuming the hackers don’t get to you first — the average cost per compromised record for 2013-2014 is $213.

Do we really need more large-scale data breaches to happen in the region before companies start taking data security seriously? Many experts in the region we met at the MasterCard Risk Management Conference Series in KL seem to think so. It’s only a matter of time before someone in the region is hit by the metaphorical tsunami of data breaches, which will force companies in the region to take notice.

Our advice for Asian companies: Reconsider your priorities for data security and PCI compliance. The small sum saved by not taking action is easily dwarfed by the cost and consequence of a data breach. Don’t wait around to find out what that could mean – demonstrate PCI compliance early to protect your customers and your business.

To take your first step towards data security, start with exploring Enterprise Recon of Ground Labs’ PCI Compliance tools on our website here.