Coffee with the Council Podcast: A Panel Discussion from Asia-Pacific Hosted by Yew Kuann Cheng
Hello everyone. Welcome to another edition of our podcast series, Coffee with the Council. Hello from very sunny Singapore. I just enjoyed my cup of coffee. Or locally we will say “Kopi Siew Dai” or “coffee with milk, with less sugar”. My name is Yew Kuann, and I’m the Regional VP for PCI Security Standards Council. My role involves driving engagements across Asia-Pacific, and I’m super excited about this very special edition of the podcast. Today I’m joined by three very amazing guests, and we will share a brief update of Asia-Pacific.
First, we have Aileen Liu, who is the director of PAX Technology’s Payment Technology Department. Now, PAX Technology is one of the largest POS solution providers in the world, and PAX is also a PCI Principal Participating Organization. They are a PCI Board of Advisor member as well. Aileen is the primary point of contact representing PAX in both groups.
Next, we have Gilbert Chu, who is the Chief Operating Officer for LGMS. They are a regional QSA and ASV or PCI Approved Scanning Vendor for short. It’s based out of Malaysia. Gilbert is a QSA professional, and an expert in IT security with more than 15 years of experience.
And last, and certainly not the least, we have Stuart Campbell, who is the Head of Customer Success and a key leader for Quasar Scan, a solution provider based in New Zealand. And they provide a tool that is able to discover sensitive data that is stored within your environment. Quasar Scan is also a PCI Associate PO.
Thank you so much for joining this podcast, Aileen, Gilbert, and Stuart. Let’s get started with a very simple question, first. Since this podcast is called Coffee with the Council, I’m enjoying my cup of coffee. Please share what is your favorite drink that you enjoy every morning? Let’s start with you first, Aileen.
Aileen Liu: That is a very good question. Nowadays in China, our go-to is the popular new style tea drink. You can call it an updated version of bubble tea, a sweetened tea-based beverage blended with milk, juice, and chewy tapioca. It’s also my team’s favorite, transforming our tea breaks into moments of pure enjoyment and relaxation.
Yew Kuann Cheng: That sounds very nice. How about you, Gilbert?
Gilbert Chu: I do accept a lot of coffee-types, but one thing that does stand out for me is Vietnamese coffee. So, I like the taste, as pure as it is. In fact, I know there’s a chance to go to Hanoi at the end of the year. There’s a PCI SSC event. Hopefully I can try the authentic one.
Yew Kuann Cheng: Nice. Stuart?
Stuart Campbell: Yeah, so I’m dialing in from sunny, but windy, Wellington, which is the coffee capital of New Zealand, I would probably say. And, allegedly, we have more cafes per capita, more than like New York does. So, it’s quite popular down here. I’m a bit boring. I’ll just drink a regular latte if I’m being good; a decaf, I suppose. Okay. That’s my drink.
Yew Kuann Cheng: Very safe, but very nice. Now, back to you Aileen. Can you share with the audience what’s the latest from PAX Technology and what are some of the toys that you are playing with these days?
Aileen Liu: I’m thrilled to share the latest developments from PAX Technology and our exciting journey in the world of Android SmartPOS. You can consider us as a dedicated contributor in the ever-evolving world of Android SmartPOS. Our commitment to innovation drives substantial investments in R&D with a clear goal of developing payment technologies that not only keep pace with the digital landscape, but also catalyze the success of businesses. For merchants, considering the transition from legacy POS to Android SmartPOS, the benefits are numerous. It offers enhanced user-friendliness, regular updates, effortless customization, streamlined remote technical assistance, and support for various distribution models. Reflecting on the past year, we introduced a range of Android SmartPOS and Android EPOS products. It was all about adapting to the changing needs of the industry. The excitement extends beyond the present, as we quietly broaden our product lines, aiming to cater to the unique needs of diverse global segments. Our focus is on integrating cutting-edge technologies like 5G, eSIM and AI, all exemplifies our commitment to crafting greener solutions. We are adopting sustainable materials, greener battery technology, digital receipts, and eco-packaging.
Now, let’s talk about MAXSTORE, seamlessly connected to over 10 million devices globally, including PAX’s own devices, as well as a number of non-PAX devices. It’s not some flashy platform. It’s made for optimal device management, deployment of value-added applications, and rich business intelligence, which is a key differentiator in the market today. Each PAX Android SmartPOS model aims to simplify things for users. From application management to precise geolocation on maps, MAXSTORE empowers users with real-time insights. Approve, push, or delete applications on terminals, send diverse notifications to merchants, enable remote control assistance, and even create geo-fencing rings. As MAXSTORE evolves, it regularly introduces new features, aligning with the dynamic trends in Android SmartPOS technology, and navigating the ever-changing digital payment landscape.
Yew Kuann Cheng: Well, thanks for that update, Aileen. Now over to you Gilbert. So, you know, based on your years of experience supporting companies across Southeast Asia to safeguard and protect their infrastructure, you know, what is the latest of what you’re hearing? Any observations to share?
Gilbert Chu: Yes. There are lots of initiatives and also security programs that are happening here in APAC, but I think one thing to mention is definitely that a lot of the companies who are actually already within the PCI program or about to embark upon the PCI program, the majority of them are actually within the journey or going to start the Cloud journey, which is migrating their business processes – which involves credit card or debit card businesses – to the Cloud environment. So, this gives them a little bit of a challenge, or I would say some homework that they need to do because other than their local regulation, whether they go Cloud, you know, whether the sensitive data can go Cloud or not, they’re also taking care of these PCI perspectives by going Cloud.
What would be the risk or what would be the do’s-and-don’ts, you know? What are the causes that they need to adhere to while they’re planning their Cloud? For some of them who already decided to go Cloud, what kind of potential challenges or red flags do they need to look into? So, these are the common observations, not only in Southeast Asia, but in the entire APAC as well. So, with this, leads to the following challenges along the way. Because while they are actually migrating their environment to the Cloud, it has required them to have new skills or new knowledge to be trained. Because can they choose the right vendor or the right supplier or partner to work with them migrating the data to the Cloud? When you go to the Cloud, it will be a slightly different environment. I would say it’ll be quite a different environment for their existing in-house IT experts, because by then, they will be talking about, for example, like security hardening, configuration standards, access control, a firewall.
So, all of these common terms that they have been very used to in their own environment, they need to put that into the Cloud. At the same time, how do they ensure that they are still complying with PCI DSS and especially from 2023 onwards until this year? They also need to take care of the new version of PCI DSS v4.0. So, this actually gives them a bit of, I would say, challenges. A bit more homework to be done while they’re going through this Cloud journey. So again, this will lead to another set of challenges out of complying with the standards, which is the introduction of a lot of these new tools and new technologies. So, they’re always looking for tools, or I would say technologies, that can assist them to manage their security in a more efficient way, while at the same time, complying with the standards.
So, a majority of the time, I do observe that they are pretty reserved, or they are pretty safe while they’re evaluating certain security tools, especially when it comes to security. They do not know that, all right, maybe these tools or this technology can help them in secure an environment but is this the tool that can help them to comply to the requirement or not. So, they are always sitting on the fence and there will be a big dilemma for them to evaluate. So, these three are the common standard points, based on my personal observation, throughout the entirety of that market.
Yew Kuann Cheng: Okay, thank you, so much for that, Gilbert. I mean, I completely agree with you and, you know, within the Council and together with many of our stakeholders from the PCI community, we are having many of those conversations to help guide the industry. And that is a very, very nice segue, to Stuart. So, Stuart, I remember a couple of months ago just before the holiday, you had shared some really interesting information about Quasar Scan. Can you please tell our audience more about data discovery? Why it is important, and also how can Quasar Scan help them?
Stuart Campbell: Yeah, absolutely. It’s kind of hard to believe that was a couple of months ago now, isn’t it? How time flies. So, we’ve been doing a lot of thinking, I suppose, recently around data discovery, specifically, Quasar Scan from our point of view and how it fits into a wider sustainable compliance program. There’re obvious benefits, I should say, when it comes to the world of data discovery. The first one off the bat you would generally think of, would just be compliance scans. It’s obviously a mature kind of consistent data discovery program or process. Having that in place really supports PCI compliance and specific requirements. To name a few, we’re talking about in the new version 4.0 world requirement 3.5.1. So around that storage of CHD 4.2.1 as well as a couple in requirement 12, specifically 12.5.2, and things like that.
There’s some right off the bat compliance gains that can be made, which is really, really positive. But I suppose more importantly, what are kind of the high-level things it can do as part of a wider risk and assurance program? So that’s something we’ve spent a lot of time doing. So, what we can do is we can really spend a lot of good time validating and confirming scope, understanding where your vulnerabilities lie, where there’s any unprotected or unencrypted CDE is going to be super helpful as a starting point, which is very, very cool. We’re also going to provide some really good guidance and highlight problem areas pretty instantaneously. So, there might be a business process, not just a technological one, where we can identify some risks to begin with. It might be an engagement where customers are interacting with you and there’s some cardholder data being transferred, and it’s not always been happening or happening in places that you necessarily expect it to happen.
And then moving forward, it’s going to provide some really good ongoing assurance and enable kind of a mindset shift inside of an organization and how they’re treating this vulnerable data effectively. So, we’ve done a lot of work in the last couple of years really developing these programs. We call it a form of a managed assurance program. So, we’ll work with potentially a QSA company, a customer and their clients, ISA service providers, and we’ll develop a 12-month plan of data discovery and how it fits into their wider risk and assurance program. It might be the case where after our first assessment, we’re going to do some quarterly QSA checks that’s going to be supported by some vulnerability scanning, and we’re going to logically support that by quarterly scans across their environment, identifying instances of cardholder data, I should say.
And that kind of really supports the organization on an ongoing basis, which is very cool. The product itself, Quasar, is pretty exciting. So, we’ve got some really smart tech when it comes to proprietary weighted scoring system, weeding out false positives, and most importantly, really identifying vulnerabilities at their root cause level. So, we don’t want to just understand the problem at its surface level and then it resurfaces as it were, kind of three to four months later. We spend a lot of time with our customers and with our partners analyzing the data that we identify. So, we want to provide some guidance on a solution that is absolutely enduring. It might be a technology change. It could be decommissioning, storing a certain system in a different place. It could be changing a form. It could be doing some key customer training with your customer support teams.
We really want to create the fix, or enable you to create the fix, I should say, early. And then in three months’ time when we potentially have to re-scan a similar or the same system, the same vulnerability’s not going to be popping up again. The benefit, obviously at the end of the day for this kind of program is that at the end of your compliance year, it’s going to lead to a much more streamlined and effective PCI DSS compliance, or assessment I should say. So yeah, we’ve done a lot of thinking about that whole program view of what PCI looks like, how data discovery fits into that, how specifically Quasar Scan can really enable some effective data discovery practices and procedures in your organization and really kind of address and mitigate some risk over the long term. So yeah, that’s Quasar in a nutshell.
Yew Kuann Cheng: Thanks for that, Stuart. I think the key thing that resonated with me when you last shared with me the solution is how it supports the different stakeholders to continuously safeguard the environment, right, as opposed to a checkpoint that is done at a given point in time. So, thanks for sharing that. If I can stay with you, Quasar Scan has been a PCI Associate PO for a few years. So, PO stands for a Participating Organization. Thank you so much for being part of the PCI community and supporting the Council over all these years. Can you please share with our audience what are some of the benefits of being a PO that appeal to you?
Stuart Campbell: Yeah, no problem. So, it’s been really beneficial for us. I think it’s fair to say, a few years ago we really started our expansion journey. We’re still a relatively small organization, but we’re really starting to grow now, which is really, really pleasing from the bottom of the world as it were. So, becoming a PO was one of the first steps that we took, as an Associate PO. It was extremely helpful. It was kind of a low cost, high value opportunity to become part of a tightly knit community of experts, right from the outset. So obviously we get things like access to the PCI Document Library, we get to provide feedback, we get some really good networking opportunities and conversations with the likes of yourself there, Yew Kuann, in terms of some really key people in the world of payment security and PCI.
So that’s been really positive. It kind of provided us with an instant network where we were to really start to do some really good work and support some really cool organizations. To top it all off, we’ve had more of a presence at the Community Meetings over the last couple of years. So, it was really nice to meet up with a number of people at the back end of last year in Kuala Lumpur at the first APAC in-person meeting in a few years. Those events are really positive from my point of view. So, we get a few complimentary passes as part of being a PO, obviously. So, a couple of the team head over to that. It’s a really good networking opportunity. You can talk to vendors, you can talk to partners, potentially some QSAs, the schemes, the PCI SSC themselves. I’d probably just say we do a lot of listening from our point of view, understanding where the market is, how things are changing, what problems there are out there, and how we can potentially design our solutions to really go a long way towards solving some problems. We had a bit of good fun there last year, and we’re looking forward to attending some more of those sessions this year and really contributing towards it.
Yew Kuann Cheng: You shared very kind words, Stuart. Thank you so much for that. Now to our audience, the next PCI Asia-Pacific Community Meeting will be in beautiful Hanoi, as Gilbert mentioned, and it’ll be on the 20th and 21st of November. Well, the last event, as we alluded to, was in Kuala Lumpur in 2023, and we had over 360 registrations, and the large majority of these did attend in-person. And, what Stuart mentioned just now, it’s really a lot of fun to catch up with different stakeholders. You know, more often than not, you get really good advice and guidance as far as feedback depending on, you know, what sort of issues you may be facing, right? So, I hope all of you plan a trip to Hanoi at the end of the year, and I’m looking forward to seeing how many of you are there.
So, Gilbert, thank you again for being one of the key sponsors at the Community Meeting in Kuala Lumpur last year. We will see many interesting changes at the Council this year, including the sunset of PCI DSS v3.2.1 on 31st of March of this year. Can you share with us how has your conversation been with your clients about this transition and, you know, how are they reacting to PCI DSS v4.0?
Gilbert Chu: First of all, thank you very much, Yew Kuann and to the Council, that we can work together. During the recent event in Kuala Lumpur, last year, well, in fact just the event itself, there was a lot of conversation that is happening within the community. How is their experience to the entire PCI DSS v3.2.1? What sort of expectations? The majority of my customers are from various industries – how have they benefited from PCI DSS v3.2.1? Of course, a majority of them struggled at the very, very early stage, I mean, many years ago when they started off with the PCI DSS v3.2.1. But I think that along the way, when they got compliance, they continued to maintain the program. In fact, they themselves have actually captured how the program has given them a lot of benefits in terms of enhancing their entire corporate security program in cybersecurity.
So, with that as an example, I’m getting more excited for the majority of them who are quite familiar with the PCI DSS program. When they found out that this v4.0 is coming and it has been drafted, they were quite excited about it when v4.0 was introduced, and it’s going to be enforced officially soon, by end of March. So, what they have been pretty excited about here is that they see a lot more hands-on, and also very practical and also realistic kind of controls, I would say, controls or courses, when it comes to the introduction of v4.0. In short, they see it even closer to how they can actually jive in the entire PCI program together with the business objective, which is very important to them. So, this actually gives them a different type of height that can actually aim toward where they are designing their PCI program by riding on this v4.0. So, this is something that they are very excited about.
So of course, other than that, a majority of my customers show that, in terms of the introduction or changes – if there are any technical controls or process-related kind of controls that have been introduced along with the new version – some of them are actually very excited as well, especially to look to the PC community, what sort of solution, or I would say tools or technologies, can actually help them to meet the requirements. With a majority of these customers, there probably has been a struggle back in the old days whereby they needed to rely on a lot of manual approaches in order to meet compliance. So, when they get passed by, with new versions coming up, there is even clearer guidance. They’re very open to this new version. In fact, the people that have been talking with us about it, they’re going through this compliance program, these are the people all the way from the ground up working from the operation to the C levels. This is how they are actually looking forward to v4.0. So, I think the awareness and the needs of all these new requirements has given them a lot more appreciation for this new introduction.
Yew Kuann Cheng: And if I can jump in, Gilbert, you know, the part that I really love what you referred to just now was on the requirements being realistic, right? And that’s, I think, one of the benefits of being part of the PCI community where, you know, since you have to comply with the PCI DSS requirements in order to fulfill your legal obligations to the standards, you know, why not improve it, right? So that is such an important word, right? Because if the requirements are not realistic, the requirements are not relevant, it doesn’t help anyone because nobody can then meet that requirement. So, thanks for mentioning that. Now, if we can quickly move on to Aileen.
Aileen, you know, PAX technology, you know, thank you again so much for being a PCI Principal PO and Board of Advisor member. You have been to many interesting countries to attend these meetings, but I remember that PAX Technology was also an Associate PO before. Can you please share, you know, how has being a Principal PO different now and what sort of benefits have you and your team found useful?
Aileen Liu: Yeah, sure. As you know, we have been an Associate PO for many, many years, and last year was our first year as a Principal PO, which is a more proactive role than Associate PO. We are able to participate in regular TGG online meetings and RRG face-to-face meetings with PCI leaders, industry experts, and payment brands. This deeper level of engagement allows us to strategically influence standards and provides oversight of draft standards before they are released for requests for comments. Whereas the Associate PO could only comment after the request for comments were released, as a Principal PO, we will also have a direct link to PCI SSC. For example, we can have online or offline meetings with PCI SSC executives to discuss specific technical and strategic questions. By having a seat at the table, we can bring our industrial, geography, and technical insights to the Council standards.
In addition, regular meetings provide valuable networking opportunities. These engagements not only facilitate knowledge sharing, but also faster collaboration and partnerships with other Principal POs and the Board of Advisors, as well as enabling us to stay updated on the latest change and developments in the industry. These interactions often are set against the backdrop of beautiful locations such as Washington D.C., Chicago, and Dublin, with nice food and beautiful views providing a conducive environment for collaborative discussion and relationship building. The benefits of which extend beyond the boardroom, fostering a sense of community and a shared vision for the future of secure payment technologies. It’s really, really good as a Principal PO.
Yew Kuann Cheng: Thank you so much, Aileen. And I can see that you have embraced all of the acronyms already. So just for our audience, some of the acronyms that Aileen has clearly adopted already include RRG, which stands for Roadmap Roundtable Group. As well as TGG, Technology Guidance Group. And these two groups are mainly for the Principal POs. Where they serve different functions, where the RRG provides a forum for them to contribute strategic input and insights to the Council and our Executive Committee members. And the TGG is a more tactical group, right? So, a more tactical group that shares insights in a much shorter timeframe. And they also provide oversight as the standards are being drafted by the working groups, right? And this is before it goes out to Request for Comment, to all of the PCI community members. Okay. So, with that, thank you so much Aileen, Gilbert, and Stuart for sharing your insights from across Asia-Pacific in this podcast. And to our audience, thank you so much for taking the time to listen to this podcast. Do remember to subscribe to the podcast as well as our PCI Perspective blog to get the latest from the Council. So, with that, I’m signing off from Singapore.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.