Rob Newby blogs about the statistics and studies on the adoption of PCI compliance in Europe, based on the data points from a Register article with the same focus.  The article states:

European merchants are behind their US counterparts in getting up to speed with the Payment Card Industry’s Data Security Standard (PCI DSS), according to a survey by management tools firm NetIQ.

Rob points out that with a sample population of 65 data points:

… all I can conclude from this survey is that NetIQ customers are ignorant, which isn’t a great advert for them.

There’s a little bit of truth in both opinions (read the NetIQ comments on Rob’s blog.)  It is true that PCI adoption in Europe is slower than that of merchants in the USA, and Asia Pacific is even further, but there a very good reason for this.

You have to factor in that organizations such as APACS has been pushing Chip-PIN for many years now.  France implemented Chip-PIN for the past six years.  This is not to say that the risks are lower, but many different factors play a role.

European PCI DSS Adoption Factors

The first factor is that of education.  Whenever you talk with someone about PCI in Europe this is how the conversation goes:

“I’d like to talk with you about PCI DSS.”
“PCI DSS? What is that?”
“Well it has to do with credit card security…”
“Oh, I don’t need that, I have this Chip-PIN infrastructure.”

It’s hard to get merchants over the fact that they cannot mitigate all the risk of storing credit card data simply by rolling out Chip-PIN terminals.

The second factor affecting merchant compliance in Europe is that in countries such as Spain and Italy a merchant will not have just one or two acquirers but more like 10-12 acquiring banks.  Since each bank only does 1/10 or 1/12 of that merchant’s business it’s a hard business proposition for one of them to take the first step forward and require the merchant to validate their compliance.  The risk is high that a merchant may simply drop that acquirer from their transaction processing channel.

Asia-Pacific PCI DSS Adoption Factors

Within the Asia-Pacific (AP) region merchant adoption of PCI DSS has been slow due to the risk factors.  Each country is different, but as a region the amount of fraud happening “in-country” is rather low.  This means that credit cards compromised and used fraudulently within S. Korea is very low.  The fraud of note is that which is classified as “cross border” fraud.  This is where a credit card compromised within the USA is then used in Australia fraudulently.  Due to these fraud factors, and the historic emphasis on driving service provider compliance within the region, merchants are slower to the game.

That said, I was just in Australia and the number of QSA companies operating in the region is considerably higher both there and in Japan (two of the largest AP countries by transaction volume.)  This increase in auditors shows an increasing demand for compliance validation on behalf of merchants.  Articles that show the “slow” adoption are like trying to buy a car without looking under the hood.  You may look at an older Honda Civic and think you can beat it in a race, but not if it’s got a turbo-charged Acura engine under the hood.

I think the key to remember is that all merchants are at risk and that risk varies by industry, vertical, infrastructure, and so many other factors.  I like Rob’s reminder that:

I am prepared to admit that the spotlight will be on the Tier 1 merchants in the first instance. However, its a bit like relying on everyone else being fatter to avoid heart disease, i.e. stupid.

Popularity: 6% [?]

Take note that the PCI DSS is available in multiple languages. Always be sure to check the PCI SSC website for updates on this.

Currently, the Security Audit Procedures are available in the following languages:

• Chinese (Simplified)
• Chinese (Traditional)
• English
• French
• French Canadian
• German
• Japanese
• Korean
• Portuguese
• Spanish

The French have always said that Canadians do not speak true French. I suppose this proves they are correct.

Popularity: 32% [?]

I just finished a two week training tour in Australia, Japan, and Korea. It is a very interesting market with people asking lots of questions about PCI DSS compliance. The Asia-Pacific region has been active with Visa pushing for compliance of service providers for the past three years. This year there is a significant push to get increase merchant compliance within the three major markets: Australia, Japan, and Korea.

These countries do not see as much fraud as in the United States, but that could change as companies in other global regions begin to secure their systems in the wake of the TJX compromise.

Australia is really taking hold as major merchants see PCI as a deterrent for credit card fraud.  The networks for credit card transactions within Japan and Korea has shielded them from domestic credit card fraud but international fraud is still a potential issue.  To prevent this they are taking PCI seriously and starting projects that will position them in a compliant manner within the next 1-2 years.

This creates a kind of competition because once one company secures their systems to comply with PCI the hackers will move on to other less secure companies.  You see this in all regions where hackers are implementing more advanced methods of attack in fewer (non-compliant and non-secure) merchants and service providers.

Also, much like the European market much of the fraud is e-commerce based with much of that being the fraudulent use of international (or cross border) credit cards.  One particular story from a merchant told of hackers using stolen credit cards to buy e-gold (or virtual-money) within online games and then selling it at a discount to other gamers.  This is how they monetize the stolen credit cards.

This may seem like small potatoes, but remember that South Korean based ICM is the organizer for the international World Cyber Games (WCG) where gamers from around the world compete for the world championship title and over $400k in cash! There are kids that practice day and night for the chance to be the best gamer in the world.

You can expect a surge in compliance levels within the Asia-Pacific over the next few years.

Popularity: 32% [?]

I’m in Sydney and Melbourne (Australia, aka. OZ) this week talking with merchants and they are less than happy with the communication they have received from their acquirers. Now this is only one side of the story, but the fact of the matter is that PCI is just now starting to gain momentum in Asia-Pacific.

As a result, many more merchants and service providers are being told they need to comply and having to learn the ropes by themselves. This is the same path that companies in the USA went down a year or two ago (and many companies are still going down today.) It is effectively, ground zero or day one, where all of the tough questions/lessons have to be learned. The key to succeeding with PCI is knowing who to ask and what to ask them.

Let’s say that your acquirer is not providing assistance, what do you do?

1. Ask your QSA [PDF]
2. Ask a card brand
3. Ask PCI Answers
4. Ask in an online forum or Yahoo! user group
5. Use the resources page, and the card association web sites.

There are a number of different resources. You need to use them.

Popularity: 21% [?]

I’m in Paris for the next few days but then back again to the US for about 2 days before I get back on a plane to Sydney. (I tried to meet someone from Cybertrust who messaged me, but I don’t know if he will be available.) I’ll be on the road for the next 2 weeks in the Asia-Pacific region so I wanted to alert others in case you want to meet up for dinner/drinks.

I really enjoyed meeting Rob and Alix, his wife, in London which I never thought I would do. It’s such a great experience to meet everyone who writes and reads this blog.

Travel plans:

• May 5-9 - Sydney, Australia
• May 9-12 - Melbourne, Australia
• May 12-16 - Tokyo, Japan
• May 16-19 - Seoul, South Korea

Popularity: 20% [?]