PCI Adoption in Europe and Asia Pacific
June 30th, 2008 by admin Posted in Asia-Pacific, Banking, Europe, Merchant, PCI DSS, PCI PINRob Newby blogs about the statistics and studies on the adoption of PCI compliance in Europe, based on the data points from a Register article with the same focus. The article states:
European merchants are behind their US counterparts in getting up to speed with the Payment Card Industry’s Data Security Standard (PCI DSS), according to a survey by management tools firm NetIQ.
Rob points out that with a sample population of 65 data points:
… all I can conclude from this survey is that NetIQ customers are ignorant, which isn’t a great advert for them.
There’s a little bit of truth in both opinions (read the NetIQ comments on Rob’s blog.) It is true that PCI adoption in Europe is slower than that of merchants in the USA, and Asia Pacific is even further, but there a very good reason for this.
You have to factor in that organizations such as APACS has been pushing Chip-PIN for many years now. France implemented Chip-PIN for the past six years. This is not to say that the risks are lower, but many different factors play a role.
European PCI DSS Adoption Factors
The first factor is that of education. Whenever you talk with someone about PCI in Europe this is how the conversation goes:
“I’d like to talk with you about PCI DSS.”
“PCI DSS? What is that?”
“Well it has to do with credit card security…”
“Oh, I don’t need that, I have this Chip-PIN infrastructure.”
It’s hard to get merchants over the fact that they cannot mitigate all the risk of storing credit card data simply by rolling out Chip-PIN terminals.
The second factor affecting merchant compliance in Europe is that in countries such as Spain and Italy a merchant will not have just one or two acquirers but more like 10-12 acquiring banks. Since each bank only does 1/10 or 1/12 of that merchant’s business it’s a hard business proposition for one of them to take the first step forward and require the merchant to validate their compliance. The risk is high that a merchant may simply drop that acquirer from their transaction processing channel.
Asia-Pacific PCI DSS Adoption Factors
Within the Asia-Pacific (AP) region merchant adoption of PCI DSS has been slow due to the risk factors. Each country is different, but as a region the amount of fraud happening “in-country” is rather low. This means that credit cards compromised and used fraudulently within S. Korea is very low. The fraud of note is that which is classified as “cross border” fraud. This is where a credit card compromised within the USA is then used in Australia fraudulently. Due to these fraud factors, and the historic emphasis on driving service provider compliance within the region, merchants are slower to the game.
That said, I was just in Australia and the number of QSA companies operating in the region is considerably higher both there and in Japan (two of the largest AP countries by transaction volume.) This increase in auditors shows an increasing demand for compliance validation on behalf of merchants. Articles that show the “slow” adoption are like trying to buy a car without looking under the hood. You may look at an older Honda Civic and think you can beat it in a race, but not if it’s got a turbo-charged Acura engine under the hood.
I think the key to remember is that all merchants are at risk and that risk varies by industry, vertical, infrastructure, and so many other factors. I like Rob’s reminder that:
I am prepared to admit that the spotlight will be on the Tier 1 merchants in the first instance. However, its a bit like relying on everyone else being fatter to avoid heart disease, i.e. stupid.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
6 Responses to “PCI Adoption in Europe and Asia Pacific”
By NickD on Jul 1, 2008
To be fair to Europe, most conversations with merchants about PCI go “I’d like to talk to you about PCI-DSS”, “Yes please, we’ve only received one communication from our bank about it, threatening us with fines. But when we ask them about PCI DSS they refuse to give us any information or advice about it.”
As for Rob’s reminder, it’s very funny, but very wrong. Hackers will go after the bigger targets, so there is some value in being of less worth than other vulnerable parties. Heart disease isn’t an external threat with limited resources… unfortunately
By Michael Dahn on Jul 1, 2008
@NickD very good catch. I agree that being slightly less vulnerable than the next person will help you dodge attacks.
I evangelize about the Attack Vector based Risk Management (AVRM) but it does have one flaw. The problem is that attacks are fluid and change often both on a micro scale and a macro scale. It’s important to stay aware and adjust your protection mechanisms to mirror those changes made in the attack landscape.
Thanks for the feedback and let us know any other experiences you have about PCI compliance in Europe.
By Mervyn on Jul 1, 2008
I believe one of the key reasons of the low adoption rate in Asia Pacific is the low awareness of PCI DSS. Asia is too huge and diverse in term of the individual country’s security maturity. When asked about PCI DSS, one would ask back “what is it? and who will be enforcing it?” Until now, I haven’t heard a satisfactory and convincing answers to these questions…
By Andrew on Nov 13, 2008
Everyone should be careful before taking NickD and Michael Dahn’s advice.
A thief doesn’t care whether they steal 1x$10000 from the big guys or 100x$100 from the small guys.
By Michael Dahn on Nov 14, 2008
@Andrew, I agree that the attackers do not care who they take the money from, but different companies will have different risks. For example, larger companies care mostly about protecting the thousands of numbers and sensitive authentication data, while smaller retailers worry about the smaller loss and if they are using a PA-DSS application.
It’s all about perspective.