How Cyber-Secure Is Japan, Really? That Question Answered, and More, at PCI Tokyo

A lot of the data breach stories we read about seem to focus on America. Even with cyber-attacks and threats against Sony Pictures, which lead to the Interview not making a theatrical release, felt more like an American story than a Japanese one.

Make no mistake, though: Japan faces a great deal of cyber-crime, even if we aren’t always reading about it.

A report by Trend Micro titled ‘The Japanese Underground’ showed that in 2014, the number of potential cybercrime cases went up a staggering 40%.

The financial damage from illegal online bank transfers in the same year totaled US$24 million.

Given that the e-commerce market in the APAC region is even more vibrant than in the entire NA, and that CNP fraud is the fastest rising type of fraud in the APAC region, it’s easy to see that if things don’t change, the future of credit card payment in Japan is grim.

Fortunately, things do look like they are about to change.

At the PCI Tokyo conference held two weeks ago, data security experts met to learn more about the state of data security in the region as a whole, as well as take part in discussions that could lead to solving the current data breach crisis.

One of the key takeaways from the conference is that Japan is actively working on making payments safe both for its residents as well as tourists. One of the reasons they are doing this is to prepare for the 2020 Tokyo Olympic and Paralympic Games, where they are expecting to see a gargantuan crowd of people shopping with their credit cards.

Methods they are employing include eliminating malicious merchants and increasing the number of EMV-enabled terminals used all over Japan.

Is the PCI Standard Working?

Interestingly enough, another common theme at the PCI event seemed to be the effectiveness of the standard, which comes under fire every time a company gets breached despite having attained PCI compliance.

The resounding opinion is that the reason many companies get breached despite meeting compliance standards is that they treat PCI compliance like Christmas; like security is a special thing you only pay attention to once a year during an audit.

Here are some of the key points raised by various speakers regarding the issue:

• PCI’s focus is preventing CNP data from being compromised, not preventing compromised CHD from being used.
• Of all the payment data breaches investigated in the last 10 years, not a single organization was found PCI DSS compliant at the time of the breach.
• Security is seeing the business value in using PCI compliance controls.
• PCI DSS can be a good pointer for other security goals
• The question is not what is safe or unsafe, but what is acceptable or unacceptable.
• It’s impossible to remove every risk, but it is possible to keep that risk at an acceptable level.

Ground Labs @ PCI Tokyo

As with every PCI conference, we at Ground Labs were busily showcasing our next-gen data security solutions, and it was great meeting a lot of QSAs that operate only in Japan.

We heard from them the usual horror stories we get all around the world, like how clients they audit still use the default network passwords.

Overall, we can definitely see Japan moving forward towards a more secure future, and we are excited to see the government create an environment where everyone feels safe paying with their credit cards.

And that’s only partially because the Japanese Yen coins weigh a little too heavy in our pockets for our liking.